Skip to content

PVA TLS: remove keychain password-file mechanism (EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE), keep only the ";password" postfix #3879

Description

@george-mcintyre

Summary

The PVA TLS keychain code supports two ways to supply the keychain password:

  1. Postfix form: EPICS_PVA[S]_TLS_KEYCHAIN=/path/to/keychain;password
  2. A separate password file pointed to by EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE

In the reference C++ implementation (PVXS), the password-file mechanism (2) has been judged an anti-feature by the maintainer and removed, keeping only the ;password postfix (1). Phoebus's PVA client implements the same two mechanisms and should make the matching change so the Java and C++ stacks stay consistent.

Upstream rationale

epics-base/pvxs PR #171 review comment:
epics-base/pvxs#171 (comment)

I thought we had agreed that this was an anti-feature? Remove.

Corresponding changes in the C++ / docs repos

  • pvxs (slac-epics/pvxs-tls): removed EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE env handling and the file-read code in src/config.cpp; kept the file;password postfix and the tls_keychain_pwd member. Commit 462e6716.
  • pvxs-cms (slac-epics/pvxs-cms): removing the equivalent file-password paths for the PVACMS / CERT_AUTH / ADMIN keychains and the LDAP account, adding file;password postfix parsing where those keychains lacked it (in progress on branch fix/pr171-review-comments).
  • pvxs-docs (slac-epics/pvxs-docs): documentation updated to drop the password-file ability and document the postfix form (in progress on branch fix/pr171-review-comments).

What needs to change in Phoebus

core/pva/src/main/java/org/epics/pva/common/SecureSockets.java:

  • readKeychainPassword(boolean is_server) (around lines 230-250) reads the password from the file named by EPICS_PVAS_TLS_KEYCHAIN_PWD_FILE / EPICS_PVA_TLS_KEYCHAIN_PWD_FILE. This method and its call sites should be removed.
  • The ;password postfix is already supported in createContext(...) (the keychain_setting.indexOf(';') split, around lines 122-135), so no new password path needs to be added; only the file-based path is removed.
  • Update the class Javadoc that mentions the *_PWD_FILE variables (around lines 115-118) accordingly.

Acceptance

  • EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE is no longer read anywhere.
  • EPICS_PVA[S]_TLS_KEYCHAIN=/path;password still loads an encrypted keychain.
  • Existing TLS/secure-socket tests still pass.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions