RE: Bug in AbstractCrypto; hardcoded loading of default java truststore

Tue, 02 Dec 2008 04:49:24 -0800 

The patch in clear-text.

Index: src/org/apache/ws/security/components/crypto/AbstractCrypto.java
===================================================================
--- src/org/apache/ws/security/components/crypto/AbstractCrypto.java
(revision 721680)
+++ src/org/apache/ws/security/components/crypto/AbstractCrypto.java    Tue Dec
02 12:44:50 CET 2008
@@ -102,20 +102,47 @@
             is.close();
         }
 
+        loadCacerts(properties);
+    }
+
-        /**
+    /**
-         * Load cacerts
+     * Load cacerts from either overridden truststore or from default
location. Will look up properties
+     * <code>javax.net.ssl.trustStore</code> and
<code>javax.net.ssl.trustStorePassword</code> and use those values if
+     * found.
+     *
+     * @param properties used to hold the possible overrides given from the
WSS4J crypto configuration
+     *
+     * @throws java.io.IOException if the cacerts path is not found, or if
there is problems closing the inputstream
+     * @throws CredentialException for any error when loading the keystore
-         */
+     */
-        String cacertsPath = System.getProperty("java.home") +
"/lib/security/cacerts";
+    protected void loadCacerts(final Properties properties)
+            throws CredentialException, IOException {
+
+
+        String cacertsPath = resolveCacertsPath();
+        String cacertsPasswd = resolveCacertsPasswd(properties);
         InputStream cacertsIs = new FileInputStream(cacertsPath);
         try {
-            String cacertsPasswd =
properties.getProperty("org.apache.ws.security.crypto.merlin.cacerts.password",
"changeit");
             this.cacerts = load(cacertsIs, cacertsPasswd, null,
KeyStore.getDefaultType());
         } finally {
             cacertsIs.close();
         }
     }
 
+    protected String resolveCacertsPasswd(Properties properties) {
+        final String defaultCacertsPasswd =
+               
properties.getProperty("org.apache.ws.security.crypto.merlin.cacerts.password",
"changeit");
 
+        return System.getProperty("javax.net.ssl.trustStorePassword",
defaultCacertsPasswd);
+    }
+
+    protected String resolveCacertsPath() {
+        final String systemDefaultCacertsPath =
System.getProperty("java.home") + "/lib/security/cacerts";
+        final String defaultCacertsPath =
+               
properties.getProperty("org.apache.ws.security.crypto.merlin.cacerts",
systemDefaultCacertsPath);
+
+        return System.getProperty("javax.net.ssl.trustStore",
defaultCacertsPath);
+    }
     /**
      * Loads the the keystore from an <code>InputStream </code>.
      * <p/>


-----
-- 
 Olve Hansen 
-- 
View this message in context: 
http://www.nabble.com/Bug-in-AbstractCrypto--hardcoded-loading-of-default-java-truststore-tp20739755p20791450.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to