Hola Tomás,
I agree with Martin,
You should set up your dev box.
You may even used the interop2.jks keystores (client and server with
bob and alice) without creating any self-signed certificate or trusted
certificates. You only need to adapt the crypto.properties and
client_deploy.wsdd
On this way, you may try your client with the signature.
From
http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html
your axis error fault might be seen
and the comments in the code from wss4j developers around line 266 and
288 say the following:
"Now we can check the certificate used to sign the message. In the
following implementation the certificate is only trusted if
either it itself or the certificate of the issuer is installed in
the keystore."
This may lead us to the conclusion that the SOAP message you are
receiving (WSDoAllReceiver) is not signed with a certificate that is
installed in your "client" keystore.
As your certificates are from interop2.jks
Also, this seems not to be correct:
<parameter name="user" value="sample"/>
sample should be bob or alice
//*/
266
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#266>
/ * Now we can check the certificate used to sign the message. In the/
267
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#267>
/ * following implementation the certificate is only trusted if/
268
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#268>
/ * either it itself or the certificate of the issuer is installed in/
269
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#269>
/ * the keystore./
270
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#270>
/ */
271
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#271>
/ * Note: the method verifyTrust(X509Certificate) allows custom/
272
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#272>
/ * implementations with other validation algorithms for subclasses./
273
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#273>
/ *//
274 <http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#274>
275
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#275>
/// Extract the signature action result from the action vector/
276 <http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#276>
WSSecurityEngineResult
<http://ws.apache.org/wss4j/xref/org/apache/ws/security/WSSecurityEngineResult.html>
actionResult = WSSecurityUtil
<http://ws.apache.org/wss4j/xref/org/apache/ws/security/util/WSSecurityUtil.html>
277
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#277>
.fetchActionResult(wsResult, WSConstants.SIGN);
278 <http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#278>
279
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#279>
*if* (actionResult != *null*) {
280
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#280>
X509Certificate returnCert = actionResult.getCertificate();
281 <http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#281>
282 <http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#282> *if* (returnCert != *null*) {
283
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#283>
*if* (!ver*if*yTrust(returnCert, reqData)) {
284
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#284>
*throw* *new* AxisFault(
285
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#285>
"WSDoAllReceiver: The certificate used for the signature is
not trusted");
286
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#286>
}
287
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#287>
}
288
<http://ws.apache.org/wss4j/xref/org/apache/ws/axis/security/WSDoAllReceiver.html#288>
}
Un saludo
José
On Wed, Sep 3, 2008 at 9:31 PM, Martin Gainty <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
you can avoid all that and create the cert yourself for testing
purposes on your dev box
http://code.google.com/support/bin/answer.py?answer=71864&topic=11369
<http://code.google.com/support/bin/answer.py?answer=71864&topic=11369>
Martin
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the
official business of Sender. This transmission is of a
confidential nature and Sender does not endorse distribution to
any party other than intended recipient. Sender does not
necessarily endorse content contained within this transmission.
------------------------------------------------------------------------
Date: Wed, 3 Sep 2008 20:11:56 +0200
From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
To: axis-user@ws.apache.org <mailto:axis-user@ws.apache.org>
Subject: Re: *SPAM* Re: *SPAM* RE: *SPAM* RE: Problem verifying
the signature with wss4j... Good News!!
Because I had no time enough to make the entire development with
the right certificate, I'm still waiting for it and this should be
finnished on friday... That's why I wanted to have some
code(altough I was not gonna work), and then had something
prepared for the right certificate. Then, in this case and if
everything is all right, it "should" work (at least partially)
with the correct certificate... Could this be a client error? (It
looks as sever error...as I told you, i'm new in axis...)
This is the complete exception:
AxisFault
faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: WSDoAllReceiver: The certificate used for the
signature is not trusted
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}hostname:cifweb02.asoatario.com
<http://cifweb02.asoatario.com>
WSDoAllReceiver: The certificate used for the signature is not trusted
at
org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
at
org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
at
org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
at
org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at
org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at
org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at
org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:395)
at
org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227)
at
org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696)
at org.apache.axis.Message.getSOAPEnvelope(Message.java:435)
at
org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(MustUnderstandChecker.java:62)
at
org.apache.axis.client.AxisClient.invoke(AxisClient.java:206)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
Thank you very much / Muchas gracias por tu ayuda
José Ferreiro escribió:
Correct Frank,
Why don't you get the right certificate you need that is
issued and signed by the correct third party?
Un saludo.
José
On Wed, Sep 3, 2008 at 7:09 PM, Tomás Tormo
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
Good news!!! After changing the keystore for
"interop2.jks", and using "alice" as alias the exception
changed :). Now it looks like this:
WSDoAllReceiver: The certificate used for the
signature is not trusted
I'm trying the webservice client against a public
webservice, that's why I think this exception is pretty
normal, cause this certificate is self-signed, and the
public webservice maybe needs a trusted certificate. Am I
right?
Thank you very much
Tomás Tormo escribió:
Sorry, my mistake, the client_deploy.wsdd file I'm
using is the following one:
<deployment xmlns="http://xml.apache.org/axis/wsdd/";
<http://xml.apache.org/axis/wsdd/>
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";
<http://xml.apache.org/axis/wsdd/providers/java>>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration >
<requestFlow>
<handler name="DoSecuritySender"
type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="passwordCallbackClass"
value="pruebawebserviceregistraduria.PWCallback"/>
<parameter name="user" value="sample"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="crypto.properties" />
<parameter name="signatureKeyIdentifier"
value="DirectReference" />
</handler>
</requestFlow>
<responseFlow>
<handler name="DoSecurityReceiver"
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass"
value="pruebawebserviceregistraduria.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="crypto.properties" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>
Thank you
Tomás Tormo escribió:
Ok, sorry i didn't see the link...
Anyway i would like to ask you why you don't
use "DirectReference" as "signatureKeyIdentifier"
instead of "X509KeyIdentifier".Is the server able
to verify the sign just with that?
The client_deploy.wsdd file I was using was the
following one (now it's a mix of several xD):
<?xml version="1.0" encoding="UTF-8"?>
<deployment
xmlns="http://xml.apache.org/axis/wsdd/";
<http://xml.apache.org/axis/wsdd/>
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";
<http://xml.apache.org/axis/wsdd/providers/java>>
<transport name="java"
pivot="java:org.apache.axis.transport.java.JavaSender"/>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<transport name="local"
pivot="java:org.apache.axis.transport.local.LocalSender"/>
<globalConfiguration >
<parameter name="disablePrettyXML" value="true"/>
<parameter
name="enableNamespacePrefixOptimization"
value="true"/>
<requestFlow>
<handler
type="java:org.apache.ws.axis.security.WSDoAllSender"
>
<parameter name="action" value="Signature"/>
<parameter name="passwordCallbackClass"
value="PWCallback"/>
<parameter name="user" value="sample"/>
<parameter name="signaturePropFile"
value="crypto.properties" />
<parameter name="signatureKeyIdentifier"
value="DirectReference" />
<parameter name="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#aes128-cbc";
<http://www.w3.org/2001/04/xmlenc#aes128-cbc> />
<parameter
name="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5";
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> />
</handler>
</requestFlow>
<responseFlow>
<handler
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass"
value="PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="crypto.properties" />
</handler>
</responseFlow>
</globalConfiguration >
Martin Gainty escribió:
Tomas<BR>
the provided example works with WSS4J
..specifically<BR>
*WSS4J configuration*<BR>
Below is the important parts from the
deployment .wsdd-file for the web service. The
test.PWCallback <BR>
class is a simple class returning the password
of the private key in the keystore. I used the
same <BR>
crypto.properties as the one supplied as
wsstest.properties in the interop-folder. As
you can see I have <BR>
specified which algorithms to use for the
session key and ecrypted session key (RSA15
and AES128).
<BR>
Did you try?<BR>
Saludos<BR>
Martin <BR>
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments
relates to the official business of Sender.
This transmission is of a confidential nature
and Sender does not endorse distribution to
any party other than intended recipient.
Sender does not necessarily endorse content
contained within this transmission.
------------------------------------------------------------------------
Date: Wed, 3 Sep 2008 16:10:30 +0200
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
To: axis-user@ws.apache.org
<mailto:axis-user@ws.apache.org>
Subject: Re: *SPAM* RE: Problem verifying the
signature with wss4j
Thank you very much for your answer, but i
forgot to specify that i'm writing a client in
java using wss4j and not WSE, and i don't have
access to the server (anyway, i'm new in this
field, so maybe i haven't understood it well...)
Do you know how to do the same for wss4j in
the client?
Thank you.
Martin Gainty escribió:
<policies
xmlns="http://schemas.microsoft.com/wse/2005/06/policy";
<http://schemas.microsoft.com/wse/2005/06/policy>><BR>
<policy name="x509"><BR>
assume the specified policy includes the
directive
messageProtectionOrder="SignBeforeEncrypt"
<BR>
http://erlend.oftedal.no/blog/?blogid=12
<BR>
Saludos<BR>
Martin <BR>
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any
attachments relates to the official
business of Sender. This transmission is
of a confidential nature and Sender does
not endorse distribution to any party
other than intended recipient. Sender does
not necessarily endorse content contained
within this transmission.
> Date: Wed, 3 Sep 2008 14:30:40 +0200
> From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> To: axis-user@ws.apache.org
<mailto:axis-user@ws.apache.org>
> Subject: Problem verifying the signature
with wss4j
>
> Greetings
>
> I'm trying to write an webservice client
wich uses signed SOAP
> messages in order to communicate. For
this, i'm using wss4j 1.5.3 with
> axis 1.4. I've succesfully wrote the
client code wich signs the message
> and sends it to the server, but i'm
getting the following error:
>
> WSDoAllReceiver: security processing
failed; nested exception is:
>
org.apache.ws.security.WSSecurityException:
The signature
> verification failed (The provided
certificate is invalid)
>
> As far as i know (by reading posts in
the internet) this is caused
> because the XML is modified after it is
signed. I've tried to set the
> disablePrettyXML to true and the
enableNamespacePrefixOptimization to
> false, but it didn't work...
>
> I've read in other posts that this could
be caused by the default blank
> namespaces added by Axis (when I checked
the XML thanks to TCPMonitor,
> i could see that the attributes of the
sent objects had no namespace,
> but the object itself had).
>
> Does anybody have any solution for this
problem? Could be possible to
> disable the default namespace in axis?
>
> Thank you very much
>
> --
> Un saludo,
>
> Tomás Tormo Franco
>
> Indenova, S.L.
> Tels.: +34 963 81 99 47 ext.519
> http://www.indenova.com
> mailto:[EMAIL PROTECTED]
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
>
------------------------------------------------------------------------
Get more out of the Web. Learn 10 hidden
secrets of Windows Live. Learn Now
<http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns%21550F681DAD532637%215295.entry?ocid=TXT_TAGLM_WL_getmore_092008>
--
Un saludo,
Tomás Tormo Franco
Indenova, S.L.
Tels.: +34 963 81 99 47 ext.519
http://www.indenova.com
mailto:[EMAIL PROTECTED]
------------------------------------------------------------------------
See how Windows Mobile brings your life
together—at home, work, or on the go. See Now
<http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/>
--
Un saludo,
Tomás Tormo Franco
Indenova, S.L.
Tels.: +34 963 81 99 47 ext.519
http://www.indenova.com
mailto:[EMAIL PROTECTED]
--
Un saludo,
Tomás Tormo Franco
Indenova, S.L.
Tels.: +34 963 81 99 47 ext.519
http://www.indenova.com
mailto:[EMAIL PROTECTED]
--
Un saludo,
Tomás Tormo Franco
Indenova, S.L.
Tels.: +34 963 81 99 47 ext.519
http://www.indenova.com
mailto:[EMAIL PROTECTED]
--
Un saludo,
Tomás Tormo Franco
Indenova, S.L.
Tels.: +34 963 81 99 47 ext.519
http://www.indenova.com
mailto:[EMAIL PROTECTED]
------------------------------------------------------------------------
See how Windows Mobile brings your life together—at home, work, or
on the go. See Now
<http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/>
--
Jose Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL
