Summary
The PVA TLS keychain code supports two ways to supply the keychain password:
- Postfix form:
EPICS_PVA[S]_TLS_KEYCHAIN=/path/to/keychain;password
- A separate password file pointed to by
EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE
In the reference C++ implementation (PVXS), the password-file mechanism (2) has been judged an anti-feature by the maintainer and removed, keeping only the ;password postfix (1). Phoebus's PVA client implements the same two mechanisms and should make the matching change so the Java and C++ stacks stay consistent.
Upstream rationale
epics-base/pvxs PR #171 review comment:
epics-base/pvxs#171 (comment)
I thought we had agreed that this was an anti-feature? Remove.
Corresponding changes in the C++ / docs repos
- pvxs (slac-epics/pvxs-tls): removed
EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE env handling and the file-read code in src/config.cpp; kept the file;password postfix and the tls_keychain_pwd member. Commit 462e6716.
- pvxs-cms (slac-epics/pvxs-cms): removing the equivalent file-password paths for the PVACMS / CERT_AUTH / ADMIN keychains and the LDAP account, adding
file;password postfix parsing where those keychains lacked it (in progress on branch fix/pr171-review-comments).
- pvxs-docs (slac-epics/pvxs-docs): documentation updated to drop the password-file ability and document the postfix form (in progress on branch
fix/pr171-review-comments).
What needs to change in Phoebus
core/pva/src/main/java/org/epics/pva/common/SecureSockets.java:
readKeychainPassword(boolean is_server) (around lines 230-250) reads the password from the file named by EPICS_PVAS_TLS_KEYCHAIN_PWD_FILE / EPICS_PVA_TLS_KEYCHAIN_PWD_FILE. This method and its call sites should be removed.
- The
;password postfix is already supported in createContext(...) (the keychain_setting.indexOf(';') split, around lines 122-135), so no new password path needs to be added; only the file-based path is removed.
- Update the class Javadoc that mentions the
*_PWD_FILE variables (around lines 115-118) accordingly.
Acceptance
EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILE is no longer read anywhere.
EPICS_PVA[S]_TLS_KEYCHAIN=/path;password still loads an encrypted keychain.
- Existing TLS/secure-socket tests still pass.
Summary
The PVA TLS keychain code supports two ways to supply the keychain password:
EPICS_PVA[S]_TLS_KEYCHAIN=/path/to/keychain;passwordEPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILEIn the reference C++ implementation (PVXS), the password-file mechanism (2) has been judged an anti-feature by the maintainer and removed, keeping only the
;passwordpostfix (1). Phoebus's PVA client implements the same two mechanisms and should make the matching change so the Java and C++ stacks stay consistent.Upstream rationale
epics-base/pvxs PR #171 review comment:
epics-base/pvxs#171 (comment)
Corresponding changes in the C++ / docs repos
EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILEenv handling and the file-read code insrc/config.cpp; kept thefile;passwordpostfix and thetls_keychain_pwdmember. Commit462e6716.file;passwordpostfix parsing where those keychains lacked it (in progress on branchfix/pr171-review-comments).fix/pr171-review-comments).What needs to change in Phoebus
core/pva/src/main/java/org/epics/pva/common/SecureSockets.java:readKeychainPassword(boolean is_server)(around lines 230-250) reads the password from the file named byEPICS_PVAS_TLS_KEYCHAIN_PWD_FILE/EPICS_PVA_TLS_KEYCHAIN_PWD_FILE. This method and its call sites should be removed.;passwordpostfix is already supported increateContext(...)(thekeychain_setting.indexOf(';')split, around lines 122-135), so no new password path needs to be added; only the file-based path is removed.*_PWD_FILEvariables (around lines 115-118) accordingly.Acceptance
EPICS_PVA[S]_TLS_KEYCHAIN_PWD_FILEis no longer read anywhere.EPICS_PVA[S]_TLS_KEYCHAIN=/path;passwordstill loads an encrypted keychain.