tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christophe Pierret" <>
Subject RE: PKCS11 and server.xml
Date Sun, 16 Dec 2007 20:15:16 GMT
If you want to maximize your chances to get your patch into the tomcat codebase, the usual
method is:
1) Submit an issue to tomcat bugzilla
2) Develop and test a patch that fixes the issue you submitted
3) Submit the patch against your version to bugzilla (and also submit a version of your patch
against trunk, it is easier to integrate)
4) Ensure that committers see your patch is available


-----Message d'origine-----
De : Luis Villa [] 
Envoyé : mercredi 12 décembre 2007 14:54
À :
Objet : PKCS11 and server.xml

Hello all,

I posted a question in the user forum asking about a way to avoid one
problem derived from using a XML for the configuration of the server.
Somehow it may not be the place to post it, because it is more based on the
development of the server (may be an issue) than the configuration of it.
The question was the following:

"In order to secure communications between a browser and the web server I'm
using tomcat with a SSL connector. This connector takes the server
certificate from a Smartcard (so I'm using a PKCS11 keystore type). The
problem is that, as I'm accessing it in Windows, I have to link it to a dll
file, and this causes troubles. I have found a little but really annoying
one. When accessing the Smartcard, java can take all keys, but then alias
name is not, for example, "tomcat" but "tomcat\0" (where \0 is the char 0).
I suppose this is because the dll uses pchar or something like this.

So, when I configure Tomcat to use keyalias="tomcat", it cannot find it
(internally, what the keystore contains is "tomcat\0"). I'm forced to not
specify a keyalias so it uses the first one in the card. But I cannot assure
the first one is the one tomcat has to use (it is possible someone is going
to import more certificates in the card in the future).

Is there a way to avoid the \0 problem? (XML does not allow to specify this

I've been reading the code of Tomcat 5.5.25, and I've found in class
JSSE14SocketFactory (line 110) what I think is the code used to access to
the key with the alias specified. What I propose is one of the following:

1.- Allow a mask in the attribute value (like \0, \1, \2...) to specify
special characters (this substrings would be replace in the code that reads
the attribute).
2.- Allow the access to a key by its position in the keystore.

In the project I'm working just now, I need something like this urgently, so
I'll have to do it myself, but I will not be able to update Tomcat without
studying and aplying this patch again. I let to your consideration the
possibility of implementing this (I think it is simple enough to not
generate a lot of work) in future versions.

Thank you all :)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message