Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: local policy)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: PKCS11 and server.xml
Date: Sun, 16 Dec 2007 21:15:16 +0100
Message-ID: 
 <405A8DA9BECB2940B758D3521DFCF6C03399FA@sparus-exchange.ad.sparus.fr>
In-Reply-To: <8c50dabf0712120553id521ac5xb88fae906bf0d54@mail.gmail.com>
thread-topic: PKCS11 and server.xml
Thread-Index: Acg8xoFCTIUR0OJZS+GHlmorLvtV0ADWV6tw
References: <8c50dabf0712120553id521ac5xb88fae906bf0d54@mail.gmail.com>
From: "Christophe Pierret" <cpierret@sparus-software.com>
To: "Tomcat Developers List" <dev@tomcat.apache.org>

Luis,
If you want to maximize your chances to get your patch into the tomcat =
codebase, the usual method is:
1) Submit an issue to tomcat bugzilla
2) Develop and test a patch that fixes the issue you submitted
3) Submit the patch against your version to bugzilla (and also submit a =
version of your patch against trunk, it is easier to integrate)
4) Ensure that committers see your patch is available

Regards,
Christophe

-----Message d'origine-----
De=A0: Luis Villa [mailto:lvillap@gmail.com]=20
Envoy=E9=A0: mercredi 12 d=E9cembre 2007 14:54
=C0=A0: dev@tomcat.apache.org
Objet=A0: PKCS11 and server.xml

Hello all,

I posted a question in the user forum asking about a way to avoid one
problem derived from using a XML for the configuration of the server.
Somehow it may not be the place to post it, because it is more based on =
the
development of the server (may be an issue) than the configuration of =
it.
The question was the following:

"In order to secure communications between a browser and the web server =
I'm
using tomcat with a SSL connector. This connector takes the server
certificate from a Smartcard (so I'm using a PKCS11 keystore type). The
problem is that, as I'm accessing it in Windows, I have to link it to a =
dll
file, and this causes troubles. I have found a little but really =
annoying
one. When accessing the Smartcard, java can take all keys, but then =
alias
name is not, for example, "tomcat" but "tomcat\0" (where \0 is the char =
0).
I suppose this is because the dll uses pchar or something like this.

So, when I configure Tomcat to use keyalias=3D"tomcat", it cannot find =
it
(internally, what the keystore contains is "tomcat\0"). I'm forced to =
not
specify a keyalias so it uses the first one in the card. But I cannot =
assure
the first one is the one tomcat has to use (it is possible someone is =
going
to import more certificates in the card in the future).

Is there a way to avoid the \0 problem? (XML does not allow to specify =
this
character)"

I've been reading the code of Tomcat 5.5.25, and I've found in class
JSSE14SocketFactory (line 110) what I think is the code used to access =
to
the key with the alias specified. What I propose is one of the =
following:

1.- Allow a mask in the attribute value (like \0, \1, \2...) to specify
special characters (this substrings would be replace in the code that =
reads
the attribute).
2.- Allow the access to a key by its position in the keystore.

In the project I'm working just now, I need something like this =
urgently, so
I'll have to do it myself, but I will not be able to update Tomcat =
without
studying and aplying this patch again. I let to your consideration the
possibility of implementing this (I think it is simple enough to not
generate a lot of work) in future versions.

Thank you all :)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org