I already got it working.
Here is what I did
I used the public certificate
and imported it to the keystore
keytool -import -keystore client_keystore.jks -file furion.crt
Alias name: testkey
Creation date: Jul 13, 2006
Entry type: trustedCertEntry
Owner: CN=furion.co.za, OU=Network Group - VAS, O=MT Group Ltd, L=Roodepoor
t, C=PA
Issuer: EMAILADDRESS=[EMAIL PROTECTED] , CN=MT-PA NWG CA, OU=Network Group, O=M
TN Group Ltd, L=Roodepoort, ST=Gauteng, C=PA
Serial number: 2b
Valid from: Mon Apr 10 20:34:45 SGT 2006 until: Thu Apr 09 20:34:45 SGT 2009
Certificate fingerprints:
MD5: B7:A9:89:27:E4:97:31:37:B5:2E:81:5D:D6:FF:E6:78
SHA1: 41:0A:CA:C7:67:B6:6D:E6:E3:9C:F3:6E:CA:CB:C6:C2:4D:5D:86:04
Then imported the .p12 certificate given to me by using
see http://mark.foster.cc/kb/openssl-keytool.html
java -cp org.mortbay.jetty.jar org.mortbay.util.PKCS12Import www.starfish.com.p12 client_keystore.jks
Enter input keystore passphrase: Monday <--- .p12 Password
Enter output keystore passphrase: mt3pgw <-- keystore password
Alias 0: 1
Adding key for alias 1
Thus,
keytool -list -storepass mt3pgw -keystore client keystore.jks
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
1, Jul 17, 2006, keyEntry,
Certificate fingerprint (MD5): 31:85:56:8C:46:1E:DE:88:7F:23:48:4B:86:0E:22:46
mykey, Jul 17, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B7:A9:89:27:E4:97:31:37:B5:2E:81:5D:D6:FF:E6:78
Previously what I am trying to do was to,
use the following :
(trying to use up all the possible combinations for username, aliases etc)
<requestFlow>I played around with various combinations for user and encryption user. But our requirements was to Authenticate via Username and Password and to sign and encrypt the message so I did this,
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value= "Signature Encrypt"/>
<parameter name="passwordCallbackClass" value="MyPWCallback"/>
<parameter name= "user" value="testkey"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="crypto.properties" />
<parameter name="encryptionUser" value="testkey"/>
</handler>
</requestFlow>
Note: the post regarding using the sha1 signature instead of "1" alias does not work for me. It returns an Invalid Length x509 stuff error.
Since Username and Password is not Encrypted but the Message should be signed and encrypted using the public and private key.
I did this.
http://ws.apache.org/wss4j/package.html <-- see chaining
<deployment xmlns="http://xml.apache.org/axis/wsdd/ " xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender "/>
<globalConfiguration >
<requestFlow >
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="UsernameToken"/>
<parameter name="user" value="1000166"/>
<parameter name="passwordType" value="PasswordText"/>
<parameter name="passwordCallbackClass" value=" com.xurpas.mtn.PWCallback"/>
<parameter name="addUTElement" value="Nonce Created" />
</handler>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature Encrypt"/>
<!-- PRIVATE KEY ALIAS -->
<parameter name="user" value="1"/>
<!--PUBLIC KEY ALIAS -->
<parameter name="encryptionUser" value="testkey"/>
<parameter name="passwordCallbackClass" value="com.xurpas.mtn.PWCallback "/>
<parameter name="encryptionPropFile" value="crypto.properties" />
<parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="crypto.properties" />
</handler>
</requestFlow >
</globalConfiguration >
</deployment>
And my crypto.properties is :
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=mt3pgw
#PRIVATE KEY ALIAS
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.keystore.alias.password=mt3pgw
org.apache.ws.security.crypto.merlin.file=client_keystore.jks
Here is the my callback class,
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
// set the password given a username
if ("1000166".equals(pc.getIdentifer())) {
pc.setPassword("Xd2Dah4X");
} else if ("testkey".equals(pc.getIdentifer())) {
pc.setPassword("mt3pgw");
} else if ("1".equals( pc.getIdentifer())) {
pc.setPassword("mt3pgw");
}
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
And it worked! and just on time for the deadline :)
But, I figured I did this all by co-incidence, I just got lucky I suppose. Since I have no time to study all concepts of xml security, crypto, digital signatures, ciphers and encryption in 2 weeks.
Plus I think I got a slight advantage since the operators provided me with the correct format of the XML document. So what I did was do a tcpdump -i eth1 -s 0 -w /home/rice/eth1.trc and check if the format of my request is the same.
So those who understand this stuff, please do post some info on this, on why it worked?
Regards,
Ice
On 7/13/06, Dittmann, Werner
<[EMAIL PROTECTED]> wrote:
You keystore does not contains an alias name 100016. The use parameter inthe wsdd file defines also which certificate to use. A certificate and itsassociated private key is identified by the alias name of it.your alias names are "testkey", "ciscomonday", and "trustedCertEntry".Regards,Werner
Von: iceal thaddeus lim [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 13. Juli 2006 10:02
An: Dittmann, Werner
Cc: [email protected]; [email protected]
Betreff: Re: WSHandler: Signature: error during message procesingHmm... I think that is not the problem.
Here is why...
Creating the keystore.
keytool -import -alias testKey -file furion.mt.co.za.crt -keystore client_keystore.jks -storepass mt3pgw
keytool -import -alias ciscomonday -keystore client_keystore.jks -storepass mt3pgw -file ca.nwg.mt.co.za.crt
keytool -import -alias starfish -keystore client_keystore.jks -storepass mt3pgw -file www.starfishnetwork.com.crt
View the keystore Created.
keytool -list -v -storepass mt3pgw -keystore client_keystore.jks
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: testkey
Creation date: Jul 13, 2006
Entry type: trustedCertEntry
Owner: CN=furion.co.za, OU=Network Group - VAS, O=MT Group Ltd, L=Roodepoor
t, C=PA
Issuer: EMAILADDRESS=[EMAIL PROTECTED] , CN=MT-PA NWG CA, OU=Network Group, O=M
TN Group Ltd, L=Roodepoort, ST=Gauteng, C=PA
Serial number: 2b
Valid from: Mon Apr 10 20:34:45 SGT 2006 until: Thu Apr 09 20:34:45 SGT 2009
Certificate fingerprints:
MD5: B7:A9:89:27:E4:97:31:37:B5:2E:81:5D:D6:FF:E6:78
SHA1: 41:0A:CA:C7:67:B6:6D:E6:E3:9C:F3:6E:CA:CB:C6:C2:4D:5D:86:04
*******************************************
*******************************************
Alias name: ciscomonday
Creation date: Jul 13, 2006
Entry type: trustedCertEntry
Owner: EMAILADDRESS=[EMAIL PROTECTED] , CN=MT-PA NWG CA, OU=Network Group, O=MT
N Group Ltd, L=Roodepoort, ST=Gauteng, C=PA
Issuer: EMAILADDRESS=[EMAIL PROTECTED], CN=MT-PA NWG CA, OU=Network Group, O=M
TN Group Ltd, L=Roodepoort, ST=Gauteng, C=PA
Serial number: 0
Valid from: Wed Nov 30 16:25:09 SGT 2005 until: Fri Nov 30 16:25:09 SGT 2035
Certificate fingerprints:
MD5: 30:7E:7C:CE:FA:27:59:79:C9:13:52:B1:05:B6:9A:EA
SHA1: 08:92:9F:CE:91:8D:DC:1C:BD:90:D0:F5:D2:F7:E3:46:1D:EA:20:FA
*******************************************
*******************************************
Alias name: starfish
Creation date: Jul 13, 2006
Entry type: trustedCertEntry
Owner: EMAILADDRESS= [EMAIL PROTECTED] , CN=www.starfishnetwork.com, OU=I
nternet Solutions, O=Starfish Mobile Technologies (PTY) Ltd., L=Johannesburg, ST
=Gauteng, C=PA
Issuer: EMAILADDRESS=[EMAIL PROTECTED] , CN=MT-PA NWG CA, OU=Network Group, O=M
TN Group Ltd, L=Roodepoort, ST=Gauteng, C=PA
Serial number: 38
Valid from: Tue Jun 27 00:22:31 SGT 2006 until: Fri Jun 26 00:22:31 SGT 2009
Certificate fingerprints:
MD5: 31:85:56:8C:46:1E:DE:88:7F:23:48:4B:86:0E:22:46
SHA1: A3:FD:A6:04:8F:3B:EF:21:B4:65:56:59:87:2F:F5:F8:CC:42:6B:BF
*******************************************
*******************************************
My crypto.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=mt3pgw
org.apache.ws.security.crypto.merlin.keystore.alias=starfish
org.apache.ws.security.crypto.merlin.keystore.alias.password=mt3pgw
org.apache.ws.security.crypto.merlin.file=client_keystore.jks
My client_deploy.wsdd
<deployment xmlns="http://xml.apache.org/axis/wsdd/ " xmlns:java=" http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration >
<requestFlow >
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="UsernameToken"/>
<parameter name="user" value="1000166"/>
<parameter name="passwordCallbackClass" value="com.xurpas.mt.PWCallback"/>
<parameter name="passwordType" value="PasswordDigest"/>
<parameter name="action" value="Signature Encrypt"/>
<parameter name="encryptionKeyIdentifier" value="X509KeyIdentifier" />
<!-- <parameter name="signatureKeyIdentifier" value="DirectReference" /> -->
<parameter name="signaturePropFile" value="crypto.properties" />
</handler>
</requestFlow >
</globalConfiguration >
</deployment>
My Password Callback Class
public class PWCallback implements CallbackHandler {
/**
* @see javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback [])
*/
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
// set the password given a username
if ("1000166".equals(pc.getIdentifer())) {
pc.setPassword("Xd2Dah4X");
}
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
}
Really need your help here.
Thanks in advance.
Ice
On 7/13/06, iceal thaddeus lim < [EMAIL PROTECTED]> wrote:Thanks for the response.
On 7/13/06, Dittmann, Werner < [EMAIL PROTECTED]> wrote:Usually this shows that no X509 data is available to perform signing. Thisis often the case if you provide the wrong password to unlock theprivate key or the keystore does not contain a private key for the alias,etc.Regards,Werner
Von: iceal thaddeus lim [mailto: [EMAIL PROTECTED] ]
Gesendet: Donnerstag, 13. Juli 2006 08:56
An: [email protected] ; [email protected]
Betreff: WSHandler: Signature: error during message procesingHi All,
What does this exception means? What is usually the cause and solution for this?
Please help... getting... very very desperate.
Thanking you in advance.
Ice
neral security error (Unexpected number of X509Data: for Signature)
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
at org.apache.ws.axis.security.WSDoAllSender.invoke (WSDoAllSender.java:170)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke (SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java :2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at za.co.mtn.tpgw.ws.billing.billingrequest.ServiceChargingGatewaySoapStub.eventCharge (ServiceChargingGatewaySoapStub.java:181)
