Hi Nate,
I used a different method to do the same where I changed the -
private boolean verifyTrust(X509Certificate cert, RequestData reqData)
throws AxisFault
method in the WSDoAllReceiver
I added the following line right after it retrieves the alias from the
request data (right after line 526):
reqData.msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,alias);
Is this the way that u were looking for... This way I didn't have to
do anything at the service :-)
Best regards,
Ruchith
On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> Hopefully this will be my last question for a while :) I really do
> appreciate all of the speedy help being provided on this list.
>
> I got the encryptionUser to work programatically by setting the property
> in the message context to the principal CN, but I'd like to get people's
> thoughts on my method. The code below is called in the constructor of
> the service. The assumption is that the client alias will be the same
> as the CN. I don't like that assumption, but I have control over how
> our clients generate their keys, so I can enforce this. I'd much rather
> be able to get right at the alias, but havent figured this out yet... if
> anyone knows of a way, I'd be happy to know.
>
>
> MessageContext msgContext = MessageContext.getCurrentContext();
> Message reqMsg = msgContext.getRequestMessage();
>
> String encryptedUser = null;
> Vector results =
> (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
>
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult hResult = (WSHandlerResult) results.get(i);
> String actor = hResult.getActor();
> Vector hResults = hResult.getResults();
> for (int j = 0; j < hResults.size(); j++) {
> WSSecurityEngineResult eResult =
> (WSSecurityEngineResult) hResults.get(j);
> if (eResult.getAction() != WSConstants.ENCR) {
> encryptedUser = eResult.getPrincipal().getName();
> }
> }
> }
>
> if (encryptedUser != null) {
> if (encryptedUser.startsWith("CN=")) {
> encryptedUser = encryptedUser.substring(3);
> }
> System.out.println("setting encryptedUser to ==>" +
> encryptedUser + "<==");
> msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,
> encryptedUser);
> }
>
> Thanks!
> Nate
>
>
> Nathaniel A. Johnson wrote:
> > Hi Ruchith,
> >
> > So you are saying I should not need an encryptionUser property in the
> > server.wsdd file? That would be great.
> >
> > Everything you say does make sense... and I do have trusted certs in the
> > server keystore for all clients that will be talking to the service, so
> > that part is taken care of.
> >
> > The problem right now is that the server is encrypting the response back
> > to the client with the server's public key instead of the client's
> > public key when I do not have the encryptedUser in the responseFlow of
> > the server.wsdd (which I do not want because I dont know the clien :) I
> > can see the clients public key in the constants like you mentioned below
> > too, but the server just doesnt seem to want to use it.
> >
> > Am I missing something else? Any thoughts?
> >
> > Nate
> >
> >
> > Ruchith Fernando wrote:
> >
> >>>Hi Nate,
> >>>
> >>>The client's public key is stored in the message context (in the
> >>>receiver results - WSHandlerConstants.RECV_RESULTS - and retrieved
> >>>later to encrypt the out going message (by the WSDoAllSender).
> >>>
> >>>WSDoAllSender - private void handleSpecialUser(RequestData reqData)
> >>>
> >>>Therefore if the client sending the incoming message uses a trusted
> >>>cert then the out going message will be encrypted with that cert.
> >>>
> >>>But there's Trust verification part that happens at the service (by
> >>>the WSDoAllReceiver -
> >>>verifyTrust(X509Certificate cert, RequestData reqData) throws AxisFault
> >>>
> >>>This requires the client cert to be in the keystore of the service. I
> >>>guess you can change this ONLY IF you want to trust all the requests
> >>>AND if you don't have each client's cert with you.
> >>>
> >>>Best regards,
> >>>Ruchith
> >>>
> >>>On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
> >>>
> >>>Hello again Werner,
> >>>
> >>>So I fixed my encryption problem. I totally read the documentation
> >>>wrong. I just needed to supply the encryptionUser in the wsdd, which
> >>>makes perfect sense in hindsight :) Thanks for getting me thinking :)
> >>>
> >>>New Related Problem:
> >>>
> >>>This works great for request flows from the client to the web service
> >>>since there is only one service the client is talking to (multiple
> >>>clients talk to this service) and the client can just insert the service
> >>>as the encryptionUser. And it works for responses from the service to
> >>>the client when I hardcode the client as the encryptionUser in the
> >>>server.wsdd like follows:
> >>>
> >>><responseFlow>
> >>> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
> >>> <parameter name="user" value="groupsserver"/>
> >>> <parameter name="passwordCallbackClass"
> >>> value="edu.iu.uis.osg.security.PWCallback"/>
> >>> <parameter name="encryptionUser" value="xxappclient"/>
> >>> <parameter name="action" value="Signature Encrypt"/>
> >>> <parameter name="signaturePropFile"
> >>> value="server-crypto.properties" />
> >>> <parameter name="signatureKeyIdentifier" value="DirectReference" />
> >>> <parameter name="encryptionKeyIdentifier"
> >>> value="X509KeyIdentifier" />
> >>> </handler>
> >>></responseFlow>
> >>>
> >>>But there are many clients, so is there some way for my server to
> >>>determine who is calling it and encrypt the response back to it with the
> >>> correct public key?
> >>>
> >>>Thanks yet again!
> >>>Nate
> >>>
> >>>
> >>>
> >>>Nathaniel A. Johnson wrote:
> >>>
> >>>
> >>>>Hi Werner,
> >>>
> >>>>Your description of signatures and encryption with key pairs makes
> >>>>perfect sense. It did get me thinking of something I figured was just
> >>>>happening behind the scenes somewhere, which is that the client "just
> >>>>knew" to use the server's public key to do the encrypting. Is there
> >>>>some config setting, property file or what not, that should be set so
> >>>>that the client know's to use the server's public key to encrypt with?
> >>>>In the client.wsdd there are signaturePropFile and possibly
> >>>>encryptionPropFile and decryptionPropFile properties, but those files
> >>>>all have passwords in them, so I can't allow the client to see the
> >>>>server files, right?
> >>>
> >>>>I must just be missing where I tell the client what to use for
> >>>>encryption... any help would be great!
> >>>
> >>>>Thanks!
> >>>>Nate
> >>>
> >>>>PS: Signatures are working great for me, both in the request and
> >>>>response flows of the service, so I at least have half of it working :)
> >>>
> >>>
> >>>>Dittmann Werner wrote:
> >>>
> >>>
> >>>>>>Nate,
> >>>>>>
> >>>>>>both the Client and the Server use the Merlin calls to access
> >>>>>>the keystore and to deal with certificates.
> >>>>>>
> >>>>>>If you do Signature the the client needs _its_ private
> >>>>>>key to sign, the server needs the client's public key
> >>>>>>to verify.
> >>>>>>
> >>>>>>If you encrypt then the client uses the _server's
> >>>>>>public_ key to encrypt the symmetric session key, the
> >>>>>>server uses _its_ private key to decrypt the session
> >>>>>>key. Thus, the case you are describing is probably
> >>>>>>a problem in the deployment - if you use Encryption
> >>>>>>the you must use the server's certificate to do so
> >>>>>>(the certificate contains the public key). To me it
> >>>>>>seems that you specified the client's certificate to do
> >>>>>>encryption.
> >>>>>>
> >>>>>>Regards,
> >>>>>>Werner
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>-----Urspr�ngliche Nachricht-----
> >>>>>>>Von: Nathaniel A. Johnson [mailto:[EMAIL PROTECTED]
> >>>>>>>Gesendet: Mittwoch, 1. Juni 2005 16:54
> >>>>>>>An: [email protected]
> >>>>>>>Betreff: encryption not asking for the right private key
> >>>>>>>
> >>>>>>>
> >>>>>>>hi all,
> >>>>>>>
> >>>>>>>i just posted this over on the axis list, but realized its probably
> >>>>>>>better suited for the wss4j dev list... sorry for the cross post for
> >>>>>>>those of you that are on both lists...
> >>>>>>>
> >>>>>>>i have been stepping through the axis and wss4j code and am at a loss.
> >>>>>>>here is the code it is getting to (inside Merlin.java):
> >>>>>>>
> >>>>>>>public PrivateKey getPrivateKey(String alias, String password)
> >>>>>>> throws Exception {
> >>>>>>>if (alias == null) {
> >>>>>>> throw new Exception("alias is null");
> >>>>>>>}
> >>>>>>>boolean b = keystore.isKeyEntry(alias);
> >>>>>>>if (!b) {
> >>>>>>> log.error("Cannot find key for alias: " + alias);
> >>>>>>> throw new Exception("Cannot find key for alias: " + alias);
> >>>>>>>}
> >>>>>>>Key keyTmp = keystore.getKey(alias, password.toCharArray());
> >>>>>>>if (!(keyTmp instanceof PrivateKey)) {
> >>>>>>> throw new Exception("Key is not a private key, alias: " + alias);
> >>>>>>>}
> >>>>>>>return (PrivateKey) keyTmp;
> >>>>>>>}
> >>>>>>>
> >>>>>>>this is when the client calls to the service. the client is
> >>>>>>>sending an
> >>>>>>>encrypted/signed message. what's happening is the server
> >>>>>>>(web service)
> >>>>>>>is trying to get the private key for the client. that just
> >>>>>>>doesnt make
> >>>>>>>sense. the server will not have a keyEntry (private key) for the
> >>>>>>>client, just public keys.
> >>>>>>>
> >>>>>>>does anyone have any idea where i might be going wrong? i have been
> >>>>>>>looking at this problem for over a week now, so maybe i am
> >>>>>>>just missing
> >>>>>>>something? i feel like i am going crazy.
> >>>>>>>
> >>>>>>>thanks
> >>>>>>>nate
> >>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
>
> iD8DBQFCnydwgj8ksIjnb2wRAhQcAKCNyumtp6TEX2LDdCIiMp1souOCIACeI3bM
> sAU32jwARpUxLFHfmuEpVjw=
> =LnfS
> -----END PGP SIGNATURE-----
>
