1 Reply Latest reply on Nov 21, 2011 5:21 PM by magsy

KeyStoreKeyManager

magsy Nov 21, 2011 4:13 PM

The PicketLink KeyStoreKeyManager class contains this code:

public void setAuthProperties(List<AuthPropertyType> authList) throws TrustKeyConfigurationException,

TrustKeyProcessingException

{

for (AuthPropertyType auth : authList)

{

this.authPropsMap.put(auth.getKey(), auth.getValue());

}

this.keyStoreURL = this.authPropsMap.get(KEYSTORE_URL);

this.keyStorePass = this.authPropsMap.get(KEYSTORE_PASS);

this.signingAlias = this.authPropsMap.get(SIGNING_KEY_ALIAS);

String keypass = this.authPropsMap.get(SIGNING_KEY_PASS);

if (keypass == null || keypass.length() == 0)

throw new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS);

this.signingKeyPass = keypass.toCharArray();

}

I'm not sure the lines in bold are correct. It is enforcing a password on an alias within the keystore, but the alias password can be the password of the keystore, and I note:

         publicKey = null;
         try
         {
            publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.keyStorePass.toCharArray());
         }
         catch (UnrecoverableKeyException urke)
         {
            //Try with the signing key pass
            publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.signingKeyPass);
         }

Which suggests that the signingKeyPass is optional. Perhaps that exception can be removed for clarity?

1. Re: KeyStoreKeyManager

magsy Nov 21, 2011 5:21 PM (in response to magsy)

Ignore this post. Further testing reveals the keystore password must be passed if a signing alias password not set in this code:

return (PrivateKey) ks.getKey(this.signingAlias, this.signingKeyPass);

Maybe if the signing key password is not passed in the configuration, the keystore password should be taken instead?
Actions