Bug 5888 - Support for other types of KeyStores in GridProxyInit
: Support for other types of KeyStores in GridProxyInit
Status: NEW
: CoG jglobus
: unspecified
: All All
: P3 contribution
: ---
Assigned To:
  Show dependency treegraph
Reported: 2008-02-28 08:39 by
Modified: 2008-02-28 12:19 (History)



You need to log in before you can comment on or make changes to this bug.

Description From 2008-02-28 08:39:10

Currently, GridProxyInit can obtain keys and certificates from PEM files and
PKCS#11 devices.
I've written a patch to add support for other types of KeyStores, in particular
PKCS#12 files directly (which should be more convenient for many users who
don't want to convert their p12 file exported from a browser) and Apple OSX
Keychain (which allow Mac users to use the certificate from the Keychain

I'd like to contribute it to the CoG-jGlobus project.

Best wishes,

------- Comment #1 From 2008-02-28 09:02:31 -------
(Since this bugzilla doesn't allow attaching patches, I've just sent the patch
by e-mail to the assignee.)

Some of the classes are under uk.ac.manchester, but we'd be happy to see them
integrated in org.globus. Please note, that some of the class names are
hard-coded in the code, as it was the case before the patch, so you would need
to update a couple of lines in org.globus.tools.proxy.GridProxyInit (only in
the KEYSTORE_MODELS array). 
------- Comment #2 From 2008-02-28 12:19:06 -------
By the way, I forgot to mention that the 'alias' selection doesn't work on the
Apple Keychain KeyStore: whatever you specify, it will always take the first
(and only) private key it finds, so if you have more than one private key
(associated to an X509 certificate) in your Keychain, it might not pick the one
you expect.
This is due to the Apple KeychainStore behaviour (provided by Apple in their
JVM). I reported it to Apple about 6 months ago, but I've had no news since.
Anyway, this should be useful to most Mac users who store only one certificate
in their Keychain.
The 'alias' selection should work with PKCS#12 files, although I haven't
extensively tried it. Again, by default (if the alias text-field is left
empty), it takes the first private key it finds in the p12 file.