The PicketLink KeyStoreKeyManager class contains this code:
public void setAuthProperties(List<AuthPropertyType> authList) throws TrustKeyConfigurationException,
TrustKeyProcessingException
{
for (AuthPropertyType auth : authList)
{
this.authPropsMap.put(auth.getKey(), auth.getValue());
}
this.keyStoreURL = this.authPropsMap.get(KEYSTORE_URL);
this.keyStorePass = this.authPropsMap.get(KEYSTORE_PASS);
this.signingAlias = this.authPropsMap.get(SIGNING_KEY_ALIAS);
String keypass = this.authPropsMap.get(SIGNING_KEY_PASS);
if (keypass == null || keypass.length() == 0)
throw new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS);
this.signingKeyPass = keypass.toCharArray();
}
I'm not sure the lines in bold are correct. It is enforcing a password on an alias within the keystore, but the alias password can be the password of the keystore, and I note:
publicKey = null;
try
{
publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.keyStorePass.toCharArray());
}
catch (UnrecoverableKeyException urke)
{
//Try with the signing key pass
publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.signingKeyPass);
}
Which suggests that the signingKeyPass is optional. Perhaps that exception can be removed for clarity?