tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luis Villa" <lvil...@gmail.com>
Subject PKCS11 and server.xml
Date Wed, 12 Dec 2007 13:53:47 GMT
Hello all,

I posted a question in the user forum asking about a way to avoid one
problem derived from using a XML for the configuration of the server.
Somehow it may not be the place to post it, because it is more based on the
development of the server (may be an issue) than the configuration of it.
The question was the following:

"In order to secure communications between a browser and the web server I'm
using tomcat with a SSL connector. This connector takes the server
certificate from a Smartcard (so I'm using a PKCS11 keystore type). The
problem is that, as I'm accessing it in Windows, I have to link it to a dll
file, and this causes troubles. I have found a little but really annoying
one. When accessing the Smartcard, java can take all keys, but then alias
name is not, for example, "tomcat" but "tomcat\0" (where \0 is the char 0).
I suppose this is because the dll uses pchar or something like this.

So, when I configure Tomcat to use keyalias="tomcat", it cannot find it
(internally, what the keystore contains is "tomcat\0"). I'm forced to not
specify a keyalias so it uses the first one in the card. But I cannot assure
the first one is the one tomcat has to use (it is possible someone is going
to import more certificates in the card in the future).

Is there a way to avoid the \0 problem? (XML does not allow to specify this
character)"

I've been reading the code of Tomcat 5.5.25, and I've found in class
JSSE14SocketFactory (line 110) what I think is the code used to access to
the key with the alias specified. What I propose is one of the following:

1.- Allow a mask in the attribute value (like \0, \1, \2...) to specify
special characters (this substrings would be replace in the code that reads
the attribute).
2.- Allow the access to a key by its position in the keystore.

In the project I'm working just now, I need something like this urgently, so
I'll have to do it myself, but I will not be able to update Tomcat without
studying and aplying this patch again. I let to your consideration the
possibility of implementing this (I think it is simple enough to not
generate a lot of work) in future versions.

Thank you all :)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message