-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ruchith,
That's a much better solution than mine because that looks to be the
real alias, not the dn property from the cert. That's exactly what I
wanted. I rebuilt the wss4j.jar and it works great.
Any idea why this isn't done in the codebase in the first place? It
would be nice if it were so I don't have to remember to rebuild the
library when new versions come out.
Thanks for the help!
Nate
Ruchith Fernando wrote:
> Hi Nate,
>
> I used a different method to do the same where I changed the -
> private boolean verifyTrust(X509Certificate cert, RequestData reqData)
> throws AxisFault
> method in the WSDoAllReceiver
>
> I added the following line right after it retrieves the alias from the
> request data (right after line 526):
>
> reqData.msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,alias);
>
> Is this the way that u were looking for... This way I didn't have to
> do anything at the service :-)
>
> Best regards,
> Ruchith
>
> On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
>
> Hi All,
>
> Hopefully this will be my last question for a while :) I really do
> appreciate all of the speedy help being provided on this list.
>
> I got the encryptionUser to work programatically by setting the property
> in the message context to the principal CN, but I'd like to get people's
> thoughts on my method. The code below is called in the constructor of
> the service. The assumption is that the client alias will be the same
> as the CN. I don't like that assumption, but I have control over how
> our clients generate their keys, so I can enforce this. I'd much rather
> be able to get right at the alias, but havent figured this out yet... if
> anyone knows of a way, I'd be happy to know.
>
>
> MessageContext msgContext = MessageContext.getCurrentContext();
> Message reqMsg = msgContext.getRequestMessage();
>
> String encryptedUser = null;
> Vector results =
> (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
>
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult hResult = (WSHandlerResult) results.get(i);
> String actor = hResult.getActor();
> Vector hResults = hResult.getResults();
> for (int j = 0; j < hResults.size(); j++) {
> WSSecurityEngineResult eResult =
> (WSSecurityEngineResult) hResults.get(j);
> if (eResult.getAction() != WSConstants.ENCR) {
> encryptedUser = eResult.getPrincipal().getName();
> }
> }
> }
>
> if (encryptedUser != null) {
> if (encryptedUser.startsWith("CN=")) {
> encryptedUser = encryptedUser.substring(3);
> }
> System.out.println("setting encryptedUser to ==>" +
> encryptedUser + "<==");
> msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,
> encryptedUser);
> }
>
> Thanks!
> Nate
>
>
> Nathaniel A. Johnson wrote:
>
>>Hi Ruchith,
>
>>So you are saying I should not need an encryptionUser property in the
>>server.wsdd file? That would be great.
>
>>Everything you say does make sense... and I do have trusted certs in the
>>server keystore for all clients that will be talking to the service, so
>>that part is taken care of.
>
>>The problem right now is that the server is encrypting the response back
>>to the client with the server's public key instead of the client's
>>public key when I do not have the encryptedUser in the responseFlow of
>>the server.wsdd (which I do not want because I dont know the clien :) I
>>can see the clients public key in the constants like you mentioned below
>>too, but the server just doesnt seem to want to use it.
>
>>Am I missing something else? Any thoughts?
>
>>Nate
>
>
>>Ruchith Fernando wrote:
>
>
>>>>Hi Nate,
>>>>
>>>>The client's public key is stored in the message context (in the
>>>>receiver results - WSHandlerConstants.RECV_RESULTS - and retrieved
>>>>later to encrypt the out going message (by the WSDoAllSender).
>>>>
>>>>WSDoAllSender - private void handleSpecialUser(RequestData reqData)
>>>>
>>>>Therefore if the client sending the incoming message uses a trusted
>>>>cert then the out going message will be encrypted with that cert.
>>>>
>>>>But there's Trust verification part that happens at the service (by
>>>>the WSDoAllReceiver -
>>>>verifyTrust(X509Certificate cert, RequestData reqData) throws AxisFault
>>>>
>>>>This requires the client cert to be in the keystore of the service. I
>>>>guess you can change this ONLY IF you want to trust all the requests
>>>>AND if you don't have each client's cert with you.
>>>>
>>>>Best regards,
>>>>Ruchith
>>>>
>>>>On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
>>>>
>>>>Hello again Werner,
>>>>
>>>>So I fixed my encryption problem. I totally read the documentation
>>>>wrong. I just needed to supply the encryptionUser in the wsdd, which
>>>>makes perfect sense in hindsight :) Thanks for getting me thinking :)
>>>>
>>>>New Related Problem:
>>>>
>>>>This works great for request flows from the client to the web service
>>>>since there is only one service the client is talking to (multiple
>>>>clients talk to this service) and the client can just insert the service
>>>>as the encryptionUser. And it works for responses from the service to
>>>>the client when I hardcode the client as the encryptionUser in the
>>>>server.wsdd like follows:
>>>>
>>>><responseFlow>
>>>> <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
>>>> <parameter name="user" value="groupsserver"/>
>>>> <parameter name="passwordCallbackClass"
>>>> value="edu.iu.uis.osg.security.PWCallback"/>
>>>> <parameter name="encryptionUser" value="xxappclient"/>
>>>> <parameter name="action" value="Signature Encrypt"/>
>>>> <parameter name="signaturePropFile"
>>>> value="server-crypto.properties" />
>>>> <parameter name="signatureKeyIdentifier" value="DirectReference" />
>>>> <parameter name="encryptionKeyIdentifier"
>>>> value="X509KeyIdentifier" />
>>>> </handler>
>>>></responseFlow>
>>>>
>>>>But there are many clients, so is there some way for my server to
>>>>determine who is calling it and encrypt the response back to it with the
>>>>correct public key?
>>>>
>>>>Thanks yet again!
>>>>Nate
>>>>
>>>>
>>>>
>>>>Nathaniel A. Johnson wrote:
>>>>
>>>>
>>>>
>>>>>Hi Werner,
>>>>
>>>>>Your description of signatures and encryption with key pairs makes
>>>>>perfect sense. It did get me thinking of something I figured was just
>>>>>happening behind the scenes somewhere, which is that the client "just
>>>>>knew" to use the server's public key to do the encrypting. Is there
>>>>>some config setting, property file or what not, that should be set so
>>>>>that the client know's to use the server's public key to encrypt with?
>>>>>In the client.wsdd there are signaturePropFile and possibly
>>>>>encryptionPropFile and decryptionPropFile properties, but those files
>>>>>all have passwords in them, so I can't allow the client to see the
>>>>>server files, right?
>>>>
>>>>>I must just be missing where I tell the client what to use for
>>>>>encryption... any help would be great!
>>>>
>>>>>Thanks!
>>>>>Nate
>>>>
>>>>>PS: Signatures are working great for me, both in the request and
>>>>>response flows of the service, so I at least have half of it working :)
>>>>
>>>>
>>>>>Dittmann Werner wrote:
>>>>
>>>>
>>>>>>>Nate,
>>>>>>>
>>>>>>>both the Client and the Server use the Merlin calls to access
>>>>>>>the keystore and to deal with certificates.
>>>>>>>
>>>>>>>If you do Signature the the client needs _its_ private
>>>>>>>key to sign, the server needs the client's public key
>>>>>>>to verify.
>>>>>>>
>>>>>>>If you encrypt then the client uses the _server's
>>>>>>>public_ key to encrypt the symmetric session key, the
>>>>>>>server uses _its_ private key to decrypt the session
>>>>>>>key. Thus, the case you are describing is probably
>>>>>>>a problem in the deployment - if you use Encryption
>>>>>>>the you must use the server's certificate to do so
>>>>>>>(the certificate contains the public key). To me it
>>>>>>>seems that you specified the client's certificate to do
>>>>>>>encryption.
>>>>>>>
>>>>>>>Regards,
>>>>>>>Werner
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>-----Urspr�ngliche Nachricht-----
>>>>>>>>Von: Nathaniel A. Johnson [mailto:[EMAIL PROTECTED]
>>>>>>>>Gesendet: Mittwoch, 1. Juni 2005 16:54
>>>>>>>>An: [email protected]
>>>>>>>>Betreff: encryption not asking for the right private key
>>>>>>>>
>>>>>>>>
>>>>>>>>hi all,
>>>>>>>>
>>>>>>>>i just posted this over on the axis list, but realized its probably
>>>>>>>>better suited for the wss4j dev list... sorry for the cross post for
>>>>>>>>those of you that are on both lists...
>>>>>>>>
>>>>>>>>i have been stepping through the axis and wss4j code and am at a loss.
>>>>>>>>here is the code it is getting to (inside Merlin.java):
>>>>>>>>
>>>>>>>>public PrivateKey getPrivateKey(String alias, String password)
>>>>>>>>throws Exception {
>>>>>>>>if (alias == null) {
>>>>>>>>throw new Exception("alias is null");
>>>>>>>>}
>>>>>>>>boolean b = keystore.isKeyEntry(alias);
>>>>>>>>if (!b) {
>>>>>>>>log.error("Cannot find key for alias: " + alias);
>>>>>>>>throw new Exception("Cannot find key for alias: " + alias);
>>>>>>>>}
>>>>>>>>Key keyTmp = keystore.getKey(alias, password.toCharArray());
>>>>>>>>if (!(keyTmp instanceof PrivateKey)) {
>>>>>>>>throw new Exception("Key is not a private key, alias: " + alias);
>>>>>>>>}
>>>>>>>>return (PrivateKey) keyTmp;
>>>>>>>>}
>>>>>>>>
>>>>>>>>this is when the client calls to the service. the client is
>>>>>>>>sending an
>>>>>>>>encrypted/signed message. what's happening is the server
>>>>>>>>(web service)
>>>>>>>>is trying to get the private key for the client. that just
>>>>>>>>doesnt make
>>>>>>>>sense. the server will not have a keyEntry (private key) for the
>>>>>>>>client, just public keys.
>>>>>>>>
>>>>>>>>does anyone have any idea where i might be going wrong? i have been
>>>>>>>>looking at this problem for over a week now, so maybe i am
>>>>>>>>just missing
>>>>>>>>something? i feel like i am going crazy.
>>>>>>>>
>>>>>>>>thanks
>>>>>>>>nate
>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCnyyqgj8ksIjnb2wRAh5kAJ4hMwZ+hbq0pczr4x080gT//10N9gCeOdRa
Mrl3fPQr0YxCO/ipm/bSJ5g=
=Qz3K
-----END PGP SIGNATURE-----
