Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce support for key password (not store password!) in KeyStoreOptions #3970

Closed
famod opened this issue Jun 15, 2021 · 6 comments · Fixed by #3982
Closed

Introduce support for key password (not store password!) in KeyStoreOptions #3970

famod opened this issue Jun 15, 2021 · 6 comments · Fixed by #3982
Assignees
@tsegismont
Labels
enhancement
Milestone
4.1.1

Comments

@famod
Copy link

famod commented Jun 15, 2021

Describe the feature

There is io.vertx.core.net.KeyStoreOptions.setPassword(String) for the store and .setAlias(String) to select a specific key from the store, but there is nothing to set the password for a specific key.

#3452 seems closely related.

Use cases

In "enterprisy setups"™, more often than not you have multipe key pairs in a single key store and each of it is protected by an individual password. In such cases, just having a keystore password is not sufficient.
FWIW: Spring and WildFly both have something like key-password in config.

Btw, something like .setKeyPassword(String) would make sense to me.
In that context, maybe .setAlias(String) should be renamed to .setKeyAlias(String) to make things clearer.
See also this discussion over at Quarkus: quarkusio/quarkus#17884 (comment)
@famod famod changed the title Introduce setter for key password (not sore password!) in KeyStoreOptions Introduce setter for key password (not store password!) in KeyStoreOptions Jun 15, 2021
@famod
Copy link
Author

famod commented Jun 15, 2021
edited
Loading

/cc @mickroll @sberyozkin @cescoffier

@famod famod changed the title Introduce setter for key password (not store password!) in KeyStoreOptions Introduce support for key password (not store password!) in KeyStoreOptions Jun 15, 2021
@cescoffier cescoffier mentioned this issue Jun 16, 2021
Closed
7 tasks
@vietj vietj added this to the 4.1.1 milestone Jun 16, 2021
@vietj
Copy link
Member

vietj commented Jun 16, 2021

setAliasPassword makes sense to me

@pmlopes
Copy link
Contributor

pmlopes commented Jun 16, 2021

In vertx-auth we also have this:

https://github.com/vert-x3/vertx-auth/blob/master/vertx-auth-common/src/main/java/io/vertx/ext/auth/KeyStoreOptions.java#L112

perhaps we should align the naming conventions to avoid confusion with the API.

@vietj
Copy link
Member

vietj commented Jun 16, 2021 via email

@pmlopes
Copy link
Contributor

pmlopes commented Jun 17, 2021

@vietj yes. in auth setting a single password it then unlocks the keystore and keys with the same password, when specific passwords are added for an alias then it unlocks the store with the top level password and the key with the password from the map falling back to the file password when missing.

@tsegismont tsegismont self-assigned this Jun 22, 2021
tsegismont added a commit to tsegismont/vert.x that referenced this issue Jun 22, 2021
@tsegismont
Add aliasPassword property to keystore options
4381e2f 
Fixes eclipse-vertx#3970

In eclipse-vertx#3933 we added an alias property to keystore options that allows to choose a keystore entry when there are several instead of letting the JVM selecting the first one.

This is a follow-up change that allows to specify a password for the alias when it is different than the store's password.

Signed-off-by: Thomas Segismont <tsegismont@gmail.com>
@tsegismont tsegismont mentioned this issue Jun 22, 2021
Merged
This was referenced Jul 2, 2021
Merged
Merged
@famod
Copy link
Author

famod commented Jul 5, 2021
edited
Loading

FWIW: while integrating this feature via quarkusio/quarkus#18387 I realized that the name aliasPassword can be a bit misleading because you don't have to set an alias in all cases.
E.g. imagine a keystore with a single key that has another password than the store. In that case you don't need alias but you do need aliasPassword.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsegismont tsegismont

Labels
enhancement
Projects
None yet
Milestone
4.1.1
Development

Successfully merging a pull request may close this issue.

Keystore enhancements tsegismont/vert.x
4 participants
@vietj @pmlopes @tsegismont @famod