Hello. I've been very busy these last weeks therefore I haven't been able to start implementing my patch until now. I made the changes recommended (for which I thank you a lot) but I have come up to a new problem. I'm not sure of the scale of the problem, because I'm not sure if I have configured the SSLSocket correctly (mostly because of my quite limited knowledge on SSL security). I'll tell you what the problem is and lets hope you know where I should be aiming to solve it:
First of all I created a CustomKeystoreManager and a CustomKeystoreInstance class. Then, in the HttpEndpoint I instantiate them in the getKeystoreManager() method. They seem to work fine until the SSLSocketFactory is created, because when it sends the message, a HandshakeException is thrown. Debugging I have seen that the CustomKeystoreInstance.getCertificate(String alias) method is never called, so obviously, without the Certificate, the message exchange is never going to work. After that, I undid all my changes to see where a normal message exchange using a file certificate (*.p12 and *.jks) calls the FileKeystoreInstance.getCertificate(String alias) method, but it doesn't seem to do it! So my idea of implementing a new getCertificate() method looks like it would not work. Do you have any idea when and where the Certificates are read (i.e the call to getCertificate() or getCertificateChain())? Should I be doing something with the certificate before initializing the SSLContext in the CustomKeystoreManager.createSSLServerFactory method? Please help. this problem is blocking my progress in my project. Thanks in advance. Sebastian Gomez. On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <[EMAIL PROTECTED]> wrote: > On Jan 23, 2008 6:42 PM, Sebastian Gomez <[EMAIL PROTECTED]> wrote: > > > Hello again. > > > > First of all, thanks a lot for helping me resolve this problem I've > > encountered. > > > > I've been trying to locate the part of the code where I should start > > implementing my patch but I haven't decided yet. I agree with you on > > modifying the getKeystoreManager() method from HttpEndpoint, but I think > I > > should rewrite the method instead of overriding it (I understand > > overriding > > would mean creating a new class extending HttpEndpoint). Do you think my > > assumption is correct or do you really think I should create a new > class? > > > Rewriting is the way to go > > > > > > > I've thought on the idea of adding a KeystoreManager field to the > > HttpEndpoint. My idea would be to add a new sslParameter in the > > xbean.xmlfile, but that would mean modifying the > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing this would > > allow me to do something like "if (this.getSsl().getKeyStoreManager() == > > null)" in the getKeystoreManager() method. Returning "true" would mean > the > > parameter has not been specified, so I would let the HttpComponent be > > initialized as it has been done until now, but returning "false" would > > mean creating and returning a new instance of the specified > > KeystoreManager. > > Does this make sense to you, or am I missing something out? > > > Yeah, definitely. The servicemix-http schema is generated automatically > from the > java source code, so adding a getter to the SslParams class will do the > trick. > > > > > > > > Best regards. > > > > Sebastian Gomez. > > > > > > > > > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <[EMAIL PROTECTED]> wrote: > > > > > I think the easiest way would be to add a KeystoreManager field on the > > > HttpEndpoint and override > > > the getKeystoreManager() method from HttpEndpoint [1]. > > > It doesn't seem you actually need to work with the HttpComponent or > > > HttpConfiguration directly. > > > > > > FYI, the defaut KeystoreManager is retrieved from the HttpComponent in > > the > > > doInit() method [2]. > > > > > > Hopes this helps, > > > > > > [1] > > > > > > > > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup > > > [2] > > > > > > > > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup > > > > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <[EMAIL PROTECTED]> wrote: > > > > > > > Hi. > > > > > > > > I have decided to create the patch to configure the KeyStoreInstance > > > > directly on the endpoint, and I would be willing to share it, but I > > > think > > > > I > > > > will need a little orientation. I've been trying to trace > > > > the initialization of the http-component, but I haven't been able to > > > find > > > > where the KeystoreInstance is created. Would it be possible for you > to > > > > point > > > > me out where it is done? > > > > > > > > Thank you. > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <[EMAIL PROTECTED]> wrote: > > > > > > > > > Implementing a KeyStoreInstance manager is the way to go. > > > > > Currently, the only way to configure it is to go to the JMX mbean > > > > > associated > > > > > with the servicemix-http component and change the > > keystoreManagerName > > > to > > > > a > > > > > new entry in the JNDI tree where you would put your own > > > implementation. > > > > > You'd also have to register it in the conf/jndi.xml configuration > > > file. > > > > > This is not very easy, so if you're fancy providing a patch to > > > configure > > > > > it > > > > > on the endpoint directly, i'd be happy to apply it. > > > > > > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Hi. > > > > > > > > > > > > Thanks for the quick answer. > > > > > > > > > > > > I only retieve the certificate from the card, nothing else. I > > think > > > > the > > > > > > easiest way of getting the certificate would be implementing a > > > custom > > > > > > KeyStoreInstance but I can't find the place in the configuration > > of > > > > the > > > > > > servicemix-http component where to tell ServiceMix to use it. I > > > > suppose > > > > > it > > > > > > should be in one of the sslParameters, but I don't know which > one. > > > > > > > > > > > > The other possibility would be to subclass the servicemix-http, > > but > > > I > > > > > > think > > > > > > the easy solution would be the one explained on the paragraph > > above. > > > > > > > > > > > > Would it be possible to implement my custom KeystoreInstance or > > > should > > > > I > > > > > > be > > > > > > thinking of subclassing the component? > > > > > > > > > > > > Best regards. > > > > > > > > > > > > Sebastian Gomez > > > > > > > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet <[EMAIL PROTECTED]> > wrote: > > > > > > > > > > > > > I'm not aware of anything done on this subject. > > > > > > > What kind of data do you retrieve from the smartcard and how ? > > > > > > > Do you simply retrieve the certificate ? > > > > > > > servicemix-http uses an abstraction on top of a keystore so > you > > > may > > > > be > > > > > > > able to implement you own that would delegate calls to the > > > smartcard > > > > > > > somehow. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup > > > > > > > > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez <[EMAIL PROTECTED]> > wrote: > > > > > > > > > > > > > > > Hello. > > > > > > > > > > > > > > > > I need to access a web service secured with WS-Security > using > > a > > > > > Smart > > > > > > > > Card. > > > > > > > > If I had the security certificate in local, I know I could > set > > > the > > > > > > > > http:sslParameters with the path of the keystore and its > > > keystore > > > > > > > > password, > > > > > > > > but this is not the case. > > > > > > > > > > > > > > > > I suppose I will have to extend either servicemix-http or > > > > > > servicemix-cxf > > > > > > > > to > > > > > > > > support reading smart cards, but I don't know if there is an > > > > easier > > > > > > > > workaround. > > > > > > > > > > > > > > > > Is there anything similar already implemented? If not, I > would > > > > > > > appreciate > > > > > > > > any kind of indication as to what would be the best way to > > solve > > > > > this > > > > > > > > problem. > > > > > > > > > > > > > > > > Best regards. > > > > > > > > > > > > > > > > Sebastian Gomez > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Cheers, > > > > > > > Guillaume Nodet > > > > > > > ------------------------ > > > > > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Cheers, > > > > > Guillaume Nodet > > > > > ------------------------ > > > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > > > > > > > > > > > -- > > > Cheers, > > > Guillaume Nodet > > > ------------------------ > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > -- > Cheers, > Guillaume Nodet > ------------------------ > Blog: http://gnodet.blogspot.com/ >
