Re: could you help where to find wssj jar 2.3.0

2020-06-28 Thread Martin Gainty 
Thank You Robert OBRIGADO

--
Sent from my Alcatel GO FLIP V

On Jun 24, 2020 2:16 PM, "robertlazarski ."  wrote:
I just built rampart from source and I see this jar in the rampart-samples dir.

We just moved to git:

git clone https://github.com/apache/axis-axis2-java-rampart.git

I had to execute this before running "mvn clean install"

axis-axis2-java-rampart/modules/rampart-policy> mvn clean jacoco:prepare-agent 
install

Anyways, after compilation I see the jar you are looking for here in the 
samples dir:

./modules/rampart-samples/target/axis2/lib/wss4j-1.6.19.jar

Regards,
Robert


On Mon, Jun 22, 2020 at 2:21 AM Gopinath R 
mailto:rgopi2...@gmail.com>> wrote:
Hi,
I am creating a java SOAP client using SAAJ APIs. In that we prefer to user 
wss4j APIs for implementing WS Security Username token. But I could not find 
the WSS4J jars for the version 2.3.0. Could you show the direction where I 
could able to download the jar of Version 2.3.0  Also please share samples for 
How to implement WS Security Username token with that latest wss4j 2.3.0  API.

Regards,
Gopinath R.

Re: WSS4J, OpenSAML and OSGi

2019-08-16 Thread Martin Gainty 
If it is not a problem taking OpenSAML off of the classpath, perhaps the next 
question should be asked: should the manifest for cxf-rt-ws-security be changed 
to make the opensaml dependencies optional?

but not by you but by maven-build-plugin..OSGI reads the manifest and either 
includes or excludes dependencies depending on
which dependencies are contained in Import Package Specification and
version  of dependencies

Import Package:
This header declares the external dependencies of the bundle that the OSGi 
Framework uses to resolve the bundle. Specific versions or version ranges for 
each package can be declared

https://www.ibm.com/support/knowledgecenter/it/SSAW57_8.5.5/com.ibm.websphere.osgi.nd.multiplatform.doc/ae/ra_bundle_mf.html

HTH

Re: Alternative to Merlin crypto provider

2019-07-10 Thread Martin Gainty 
a great idea for expanding WSS4Js capability to handle other crypto providers!

if you're in TLSClientParameters take a look at:

/*
 Returns whether or not {@link 
javax.net.ssl.HttpsURLConnection#getDefaultSSLSocketFactory()} should be
 * used to create https connections. If true , {@link 
#getJsseProvider()} ,
 * {@link #getSecureSocketProtocol()}, {@link #getTrustManagers()}, {@link 
#getKeyManagers()},
 * {@link #getSecureRandom()}, {@link #getCipherSuites()} and {@link 
#getCipherSuitesFilter()} are
 * ignored.
*/
theoretically your new implementation of SSLSocketFactory once set thru
tlsClientParameters.setSSLSocketFactory(JesperSSLSocketFactory)
would 'provide' the necessary requisite attributes:
JsseProvider
TrustManagers
KeyManagers

/* some helpful Info from JSSE doc page: */
Obtaining an SSLSocketFactory

There are three primary ways of obtaining an SSLSocketFactory:

  *   Get the default factory by calling the SSLSocketFactory.getDefault static 
method.
  *   Receive a factory as an API parameter. That is, code which needs to 
create sockets but which doesn't care about the details of how the sockets are 
configured can include a method with anSSLSocketFactory parameter that can be 
called by clients to specify which SSLSocketFactory to use when creating 
sockets. (For example, javax.net.ssl.HttpsURLConnection.)
  *   Construct a new factory with specifically configured behavior.

The default factory is typically configured to support server authentication 
only so that sockets created by the default factory do not leak any more 
information about the client than a normal TCP socket would.

Many classes which create and use sockets do not need to know the details of 
socket creation behavior. Creating sockets through a socket factory passed in 
as a parameter is a good way of isolating the details of socket configuration, 
and increases the reusability of classes which create and use sockets.

You can create new socket factory instances either by implementing your own 
socket factory subclass or by using another class which acts as a factory for 
socket factories. One example of such a class is SSLContext, which is provided 
with the JSSE implementation as a provider-based configuration class.

once coded your new crypto provider would be specifed in 
$JRE_HOME/lib/security/java.security as security.provider.1  ?

https://doc.bccnsoft.com/docs/jdk7-docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLSocketFactory

is this you're thinking?

i support your efforts in expanding crypto providers for WSS4
and would like to help this important effort any way i can
M-


From: Jesper Duelund Isaksen 
Sent: Tuesday, July 9, 2019 7:22 AM
To: users@ws.apache.org
Subject: RE: Alternative to Merlin crypto provider


Thanks for the very quick reply!



Alright, so a custom provider is the way to go.



We are only experimenting at the moment so I am unsure if we will get to the 
point of having something good enough for contribution. The SVN repository is 
the correct place to branch out a separate contribute I assume?



Kind regards
Jesper



From: Colm O hEigeartaigh 
Sent: 9. juli 2019 10:12
To: users@ws.apache.org
Subject: Re: Alternative to Merlin crypto provider



Contributions to the project involving new Crypto implementations would be very 
welcome :-)



Colm.



On Tue, Jul 9, 2019 at 8:02 AM Jesper Duelund Isaksen 
mailto:jesper.duelund.isak...@systematic.com>>
 wrote:

Hi



Does anyone know if an alternative to Merlin already exists that allows 
configuring Apache WSS4J with in-memory KeyStores, KeyManager and TrustManager 
or similar?

Perhaps something similar to what is exposed in CXF using the 
org.apache.cxf.configuration.jsse.TLSClientParameters class?



We experimenting with a common security library implementation on top of Apache 
CXF for a set of services with a common WS-Trust-like security model intended 
to be running in containers. It would be great if secrets could be fetched from 
a system like HashiCorps Vault or similar, however this seems to conflict with 
using static JKS keystores for the WSS4J configuration.



Alternatively it would perhaps be an idea to implement a custom crypto 
provider? Are there any critical pitfalls to be aware of, if this the way to go?



Kind regards
Jesper Duelund Isaksen


--

Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Set WSS basic authentication on org.apache.axis.client.Stub

2018-02-18 Thread Martin Gainty 
the SAML (the xml security header you are building) maybe lacking a subject or 
lacking KeyInfo

or lacking namespace http://www.w3.org/2000/09/xmldsig#  see below

XML-Signature Syntax and Processing
www.w3.org
This document has been reviewed by W3C Members and other interested parties and 
has been endorsed by the Director as a W3C Recommendation. It is a stable 
document and ...




RequestData data = new RequestData();
data.setSigCrypto(userCrypto); //only works when signature 
crypto ok
data.setWssConfig(getWsConfig()); //only works when wsconfig is 
ok
SAMLKeyInfo samlKeyInfo =
SAMLUtil.getCredentialFromSubject(  //assertion does not 
contain subject will cause stop
assertion, data, wsDocInfo, 
getWsConfig().isWsiBSPCompliant()
);
if (samlKeyInfo != null) {
publicKey = samlKeyInfo.getPublicKey();
certs = samlKeyInfo.getCerts();
wsDocInfo.setCrypto(userCrypto);


 public static SAMLKeyInfo getCredentialFromSubject(
org.opensaml.saml1.core.Assertion assertion, //subject inside assertion 
maybe null
RequestData data,
WSDocInfo docInfo,
boolean bspCompliant

samlSubject = attrStmt.getSubject() // if this causes null subject throw 'no 
subject' Exception

   if (samlSubject == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "invalidSAMLToken",
new Object[] {"for Signature (no Subject)"}
);
}


//you never get this far if subject is null
//even if subject!=null look at these checks which will fubar your ability to 
get certificates


Element sub = samlSubject.getSubjectConfirmation().getDOM();
Element keyInfoElement =
  WSSecurityUtil.getDirectChildElement(sub, "KeyInfo", 
WSConstants.SIG_NS); //u are lacking 'KeyInfo' 
//http://www.w3.org/2000/09/xmldsig# //if you are lacking this namespace 
assignment you wont get certs
XML-Signature Syntax and Processing
www.w3.org
This document has been reviewed by W3C Members and other interested parties and 
has been endorsed by the Director as a W3C Recommendation. It is a stable 
document and ...


if (keyInfoElement != null) {
return getCredentialFromKeyInfo(keyInfoElement, data, docInfo, 
bspCompliant);
}

//then the code below would never be executed since you dont have certs
 public static SAMLKeyInfo getCredentialFromKeyInfo(
Element keyInfoElement,
RequestData data,
WSDocInfo docInfo,
boolean bspCompliant
) throws WSSecurityException {
//
// First try to find an EncryptedKey, BinarySecret or a 
SecurityTokenReference via DOM
//
Node node = keyInfoElement.getFirstChild();
while (node != null) {
if (Node.ELEMENT_NODE == node.getNodeType()) {
QName el = new QName(node.getNamespaceURI(), 
node.getLocalName());
if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
List result =
proc.handleToken((Element)node, data, docInfo, 
data.getSamlAlgorithmSuite());
byte[] secret =
(byte[])result.get(0).get(
WSSecurityEngineResult.TAG_SECRET
);
return new SAMLKeyInfo(secret);
} else if (el.equals(BINARY_SECRET) || 
el.equals(BINARY_SECRET_05_12)) {
Text txt = (Text)node.getFirstChild();
return new SAMLKeyInfo(Base64.decode(txt.getData()));
} else if (SecurityTokenReference.STR_QNAME.equals(el)) {
STRParser strParser = new SignatureSTRParser();
strParser.parseSecurityTokenReference(
(Element)node, data, docInfo, new HashMap()
);
SAMLKeyInfo samlKeyInfo = new 
SAMLKeyInfo(strParser.getCertificates()); //null
samlKeyInfo.setPublicKey(strParser.getPublicKey());
samlKeyInfo.setSecret(strParser.getSecretKey());

Principal principal = strParser.getPrincipal();

// Check for compliance against the defined AlgorithmSuite
AlgorithmSuite algorithmSuite = 
data.getSamlAlgorithmSuite();
if (algorithmSuite != null && principal instanceof 
WSDerivedKeyTokenPrincipal) {
AlgorithmSuiteValidator algorithmSuiteValidator = new
AlgorithmSuiteValidator(algorithmSuite);

RE: How to use multiple CRL with WSS4J ?

2016-10-02 Thread Martin Gainty 
Many Thanks for confirming the implementation for only X509 
Martin Gainty 
__ 




From: cohei...@apache.org
Date: Fri, 30 Sep 2016 16:40:42 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: users@ws.apache.org

Martin, are you referring to the missing "PKCS7"? Merlin is designed to work 
with X.509 certificates, so it doesn't apply here.

Colm.

On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <mgai...@hotmail.com> wrote:






From: cohei...@apache.org
Date: Fri, 30 Sep 2016 15:42:53 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: users@ws.apache.org

Yes please do a pull request, or create a JIRA and attach the diff there.

Colm.

On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.w...@gmail.com> wrote:
Ok found your github. Will do a pull request.
2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.w...@gmail.com>:
New version with the trim() correctly done after the split not before...

2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.w...@gmail.com>:
Found that it was not possible with Merlin cause it only allow to define a 
single CRL File.I have done a quick change that enable a comma separated list 
of crl.Here is the change. Can someone review it and if it's ok add it to the 
official source code ?//// Load the CRL file//String 
crlLocations = properties.getProperty(prefix + X509_CRL_FILE);if 
(crlLocations != null) {crlLocations = crlLocations.trim(); 
   String[] splittedCrlsLocation=crlLocations.split(",");
List crls=new ArrayList();for (int i = 0; i < 
splittedCrlsLocation.length; i++) {String crlLocation = 
splittedCrlsLocation[i];InputStream is = 
loadInputStream(loader, crlLocation);
try {CertificateFactory cf = 
getCertificateFactory();X509CRL crl = 
(X509CRL)cf.generateCRL(is);crls.add(crl);} 
catch (Exception e) {if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);}throw new 
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e); 
   } finally {if (is != null) { 
   is.close();}}}
try {if (provider == null || provider.length() == 0) {  
  crlCertStore =CertStore.getInstance(  
  "Collection",
new CollectionCertStoreParameters(crls));
} else {crlCertStore =  
  CertStore.getInstance("Collection",   
 new CollectionCertStoreParameters(crls),   
 provider); 
   }} catch (Exception e) {if (DO_DEBUG) {  
  LOG.debug(e.getMessage(), e);}throw 
new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e); 
   }if (DO_DEBUG) {LOG.debug(   
 "The CRL " + crlLocations + " has been loaded");   
 }
MG> Merlin.java
  List certList = Arrays.asList(x509certs);
  CertPath path = getCertificateFactory().generateCertPath(certList);
MG>what I see from IBM:  FileInputStream fis = new FileInputStream(filename);
// instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// extract the certification path from
// the PKCS7 SignedData structure
CertPath cp = cf.generateCertPath(fis, "PKCS7");
MG>is IBM doc incorrect?
http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/com.ibm.java.security.component.71.doc/security-component/certpathDocs/certificatefactory.html
Best Regards,Claude
2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.w...@gmail.com>:
Hi,I got the following pki chain Root CA>Intermediate CA>Client signing 
certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root 
CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to 
validate my Intermediate CA against the Root CA crl while I'm only interested 
to verify the client certificate.I'm not sure how revocation validation works 
but it seems to validate CRL for every certificate(except the Root).However, I 
don't know how to specify multiple CRL in WSS4J or if

RE: TLS 1.2 support

2016-08-24 Thread Martin Gainty 
MG>axis-rampart 1.6.2 implements 1.6.4
MG>if i grep experimental branch wss4j-1.6.19 
MG>org.apache.ws.security.conversation.dkalgo.P_SHA1.java where P_SHA1 is TLS  
V 1.0 implementation?/** *  P_SHA-1 DEFINITION == 
P_SHA-1(secret, seed) = HMAC_SHA-1(secret, A(1) + seed) + 
HMAC_SHA-1(secret, A(2) + seed) + HMAC_SHA-1(secret, A(3) + seed) + ... 
Where + indicates concatenation.  A() is defined as: A(0) = seed 
A(i) = HMAC_SHA-1(secret, A(i-1))  Source : RFC 2246 - The TLS Protocol 
Version 1.0 Section 5. HMAC and the pseudorandom function  * * 
@author Ruchith Fernando */
MG>org.apache.ws.security.saml.ext.builder.SAML1Constants.java seems to contain 
authentication definition for RFC 2246 ?/** * The authentication was 
performed using either the SSL or TLS protocol with certificate  * based 
client authentication. TLS is described in [RFC 2246]. */public static 
final String AUTH_METHOD_TLS_CLIENT = "urn:ietf:rfc:2246";MG>Nota Bene: RFC2246 
is TLS 1.0

MG>org.apache.ws.security.message.token.UsernameToken seems to implement P_hash 
function for RFC 2246 (TLS v 1.0)?/** * P_hash as defined in RFC 2246 
for TLS. *  * @param secret is the key for the HMAC * @param seed 
the seed value to start the generation - A(0) * @param mac the HMAC 
algorithm * @param required number of bytes to generate * @return a 
byte array that contains a secret key * @throws Exception */private 
static byte[] P_hash(byte[] secret, byte[] seed, Mac 
mac, int required) throws Exception {byte[] out = new 
byte[required];int offset = 0, tocpy;byte[] a, tmp;//   
 // a(0) is the seed//a = seed;SecretKeySpec key = 
new SecretKeySpec(secret, "HMACSHA1");mac.init(key);while 
(required > 0) {mac.update(a);a = mac.doFinal();
mac.update(a);mac.update(seed);tmp = mac.doFinal(); 
   tocpy = min(required, tmp.length);System.arraycopy(tmp, 
0, out, offset, tocpy);offset += tocpy;required -= 
tocpy;}return out;}
MG>axis2-1.6.2 has no mention of AUTH_METHOD_TLS_CLIENT
MG>assuming AUTH_METHOD_TLS_CLIENT  (referenced in SAMLTokenProcessor) defined 
in WSS4J SAML1Constants for TLS v1.0
MG>would copying these RFC-2246  attributes/functions to RFC-5246 equivalents 
allow TLS V1.2 could be implemented?

MG>Suggestions on implementing TLS V1.2 eagerly solicited


From: cohei...@apache.org
Date: Wed, 24 Aug 2016 09:55:46 +0100
Subject: Re: TLS 1.2 support
To: users@ws.apache.org

Apache WSS4J does not implement TLS at all, it is solely an implementation of 
the WS-Security standards. Perhaps you want Apache CXF or Axis instead?

Colm.

On Fri, Aug 19, 2016 at 12:06 PM, Amit Lonkar <amitlon...@yahoo.com> wrote:
Anyone who could let me know the answer to the question below ?
ThanksAmit

On Aug 18, 2016, at 5:16 AM, Martin Gainty <mgai...@hotmail.com> wrote:

"Could you please let me know which version of wss4j implements TLSv1.2 
(rfc5246)"
Please honour this question

Thank You,
Martin
__ 
 _ _  _ _  _ ___ _  
  _   _ _   _ 
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ 
___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  | | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| 
-_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_|___|_| |_| |_|__,|_| 
|___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
   |_|  
  


From: amitlon...@yahoo.com
Subject: TLS 1.2 support
Date: Tue, 16 Aug 2016 09:27:56 -0600
To: users@ws.apache.org

Could you please let me know which version of wss4j implements TLSv1.2 (rfc5246)
ThanksAmit


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RFC5246

2016-08-11 Thread Martin Gainty 
looking for timeline on implementing TLSv1.2
 https://www.ietf.org/rfc/rfc5246.txt
Thank You
Martin 
__ 

   


> Date: Thu, 11 Aug 2016 12:12:04 +
> From: users-h...@ws.apache.org
> To: mgai...@hotmail.com
> Subject: WELCOME to users@ws.apache.org
> 
> Hi! This is the ezmlm program. I'm managing the
> users@ws.apache.org mailing list.
> 
> Acknowledgment: I have added the address
> 
>mgai...@hotmail.com
> 
> to the users mailing list.
> 
> Welcome to users@ws.apache.org!
> 
> Please save this message so that you know the address you are
> subscribed under, in case you later want to unsubscribe or change your
> subscription address.
> 
> 
> --- Administrative commands for the users list ---
> 
> I can handle administrative requests automatically. Please
> do not send them to the list address! Instead, send
> your message to the correct command address:
> 
> To subscribe to the list, send a message to:
>
> 
> To remove your address from the list, send a message to:
>
> 
> Send mail to the following for info and FAQ for this list:
>
>
> 
> Similar addresses exist for the digest list:
>
>
> 
> To get messages 123 through 145 (a maximum of 100 per request), mail:
>
> 
> To get an index with subject and author for messages 123-456 , mail:
>
> 
> They are always returned as sets of 100, max 2000 per request,
> so you'll actually get 100-499.
> 
> To receive all messages with the same subject as message 12345,
> send a short message to:
>
> 
> The messages should contain one line or word of text to avoid being
> treated as sp@m, but I will ignore their content.
> Only the ADDRESS you send to is important.
> 
> You can start a subscription for an alternate address,
> for example "john@host.domain", just add a hyphen and your
> address (with '=' instead of '@') after the command word:
>