Re: Using Bouncy Castle instead of Merlin in WSS4J 1.6.13
I tried this through a junit after changing the algorithm. And here is what I got: SEVERE: java.security.NoSuchAlgorithmException: unsupported algorithm Mar 14, 2014 12:14:22 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for ... has thrown exception, unwinding now Throwable occurred: org.apache.cxf.binding.soap.SoapFault: Security processing failed. at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135) Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122) at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265) Here is the signature entry defined in the 'out' interceptor: *entry key=signatureAlgorithm value=http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2001/04/xmlenc#sha256 /* I am not sure how to check for unlimited security policies. But since we would be running this on WebSphere, I don't think I have the liberty to have the unlimited security policies. Thanks, Giriraj. On Fri, Mar 14, 2014 at 5:51 AM, Colm O hEigeartaigh cohei...@apache.orgwrote: Yes, Merlin supports SHA-256. Do you have the unlimited security policies installed in the JDK? Colm. On Fri, Mar 14, 2014 at 3:08 AM, Giriraj Bhojak girira...@gmail.comwrote: Hello Colm, I created the keystore using standard java keytool command. I am not sure how to create a BKS keystore. When I tried using sha256 signature algorithm (by configuring signatureAlgorithm in the interceptor via CXF)with Merlin, I ran into algorithm not supported exception. sha1 signature algorithm worked properly. Doesn't merlin support sha256 signature algorithm? Do I need to use bouncy castle in this case? Could you please help me out with it? Thanks, Giriraj. On Feb 24, 2014 5:37 AM, Colm O hEigeartaigh cohei...@apache.org wrote: With BouncyCastle, the Keystore type must be BKS, so: org.apache.ws.security.crypto.merlin.keystore.type=BKS Note that the keystore itself must be compatible with BouncyCastle JKS implementation. Colm. On Fri, Feb 21, 2014 at 10:44 PM, Giriraj Bhojak girira...@gmail.comwrote: Hello Colm, I didn't have any success using above properties. I got following: ... 2 more Caused by: org.apache.ws.security.components.crypto.CredentialException: Failed to load credentials. at org.apache.ws.security.components.crypto.Merlin.load(Merlin.java:376) at org.apache.ws.security.components.crypto.Merlin.loadProperties(Merlin.java:190) at org.apache.ws.security.components.crypto.Merlin.init(Merlin.java:140) at org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:117) ... 17 more Caused by: java.security.KeyStoreException: KeyStore jks implementation not found at java.security.KeyStore.getInstance(KeyStore.java:122) at org.apache.ws.security.components.crypto.Merlin.load(Merlin.java:362) ... 20 more Caused by: java.security.KeyStoreException: KeyStore jks implementation not found at java.security.KeyStore.getInstance(KeyStore.java:150) at java.security.KeyStore.getInstance(KeyStore.java:120) ... 21 more It was working with Merlin earlier. Here is my properties file: org.apache.ws.security.crypto.merlin.keystore.file=sample.jks org.apache.ws.security.crypto.merlin.keystore.password=password org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.alias=alias1 org.apache.ws.security.crypto.merlin.keystore.provider=BC org.apache.ws.security.crypto.merlin.cert.provider=BC I have bcprov-jdk12-130.jar on the classpath. Could you please help me find out what I am doing wrong here? Thanks, Giriraj. On Tue, Feb 18, 2014 at 8:39 AM, Colm O hEigeartaigh cohei...@apache.org wrote: You can use BouncyCastle with the Merlin Crypto implementation. Simply add the property:
Re: Using Bouncy Castle instead of Merlin in WSS4J 1.6.13
That's bad on so many levels for me. Really sorry to bother you with it Colm. I was going through org.apache.ws.security.handler.WSHandlerConstants.SIG_ALGO and I copied the property for SIG_DIGEST_ALGO instead of the one above it. Apologies again to bother you with it. Thanks, Giriraj. On Fri, Mar 14, 2014 at 12:21 PM, Colm O hEigeartaigh cohei...@apache.orgwrote: *entry key=signatureAlgorithm value=http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2001/04/xmlenc#sha256 /* That is not a valid value for signatureAlgorithm as it is a digest algorithm. Colm. On Fri, Mar 14, 2014 at 4:18 PM, Giriraj Bhojak girira...@gmail.comwrote: I tried this through a junit after changing the algorithm. And here is what I got: SEVERE: java.security.NoSuchAlgorithmException: unsupported algorithm Mar 14, 2014 12:14:22 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for ... has thrown exception, unwinding now Throwable occurred: org.apache.cxf.binding.soap.SoapFault: Security processing failed. at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135) Caused by: org.apache.ws.security.WSSecurityException: Error during Signature: at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122) at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52) at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265) Here is the signature entry defined in the 'out' interceptor: *entry key=signatureAlgorithm value=http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2001/04/xmlenc#sha256 /* I am not sure how to check for unlimited security policies. But since we would be running this on WebSphere, I don't think I have the liberty to have the unlimited security policies. Thanks, Giriraj. On Fri, Mar 14, 2014 at 5:51 AM, Colm O hEigeartaigh cohei...@apache.org wrote: Yes, Merlin supports SHA-256. Do you have the unlimited security policies installed in the JDK? Colm. On Fri, Mar 14, 2014 at 3:08 AM, Giriraj Bhojak girira...@gmail.comwrote: Hello Colm, I created the keystore using standard java keytool command. I am not sure how to create a BKS keystore. When I tried using sha256 signature algorithm (by configuring signatureAlgorithm in the interceptor via CXF)with Merlin, I ran into algorithm not supported exception. sha1 signature algorithm worked properly. Doesn't merlin support sha256 signature algorithm? Do I need to use bouncy castle in this case? Could you please help me out with it? Thanks, Giriraj. On Feb 24, 2014 5:37 AM, Colm O hEigeartaigh cohei...@apache.org wrote: With BouncyCastle, the Keystore type must be BKS, so: org.apache.ws.security.crypto.merlin.keystore.type=BKS Note that the keystore itself must be compatible with BouncyCastle JKS implementation. Colm. On Fri, Feb 21, 2014 at 10:44 PM, Giriraj Bhojak girira...@gmail.comwrote: Hello Colm, I didn't have any success using above properties. I got following: ... 2 more Caused by: org.apache.ws.security.components.crypto.CredentialException: Failed to load credentials. at org.apache.ws.security.components.crypto.Merlin.load(Merlin.java:376) at org.apache.ws.security.components.crypto.Merlin.loadProperties(Merlin.java:190) at org.apache.ws.security.components.crypto.Merlin.init(Merlin.java:140) at org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:117) ... 17 more Caused by: java.security.KeyStoreException: KeyStore jks implementation not found at java.security.KeyStore.getInstance(KeyStore.java:122) at org.apache.ws.security.components.crypto.Merlin.load(Merlin.java:362) ... 20 more Caused by: java.security.KeyStoreException: KeyStore jks implementation not found at java.security.KeyStore.getInstance(KeyStore.java:150) at java.security.KeyStore.getInstance(KeyStore.java:120) ... 21 more It was working with Merlin earlier. Here is my properties file:
