It's not possible to specify a KeyName by configuration at the moment. The only supported values are (from http://ws.apache.org/wss4j/config.html):
DirectReference IssuerSerial X509KeyIdentifier SKIKeyIdentifier EmbeddedKeyName Thumbprint EncryptedKeySHA1 You can send configure KeyName's programmatically though. Colm. On Mon, Aug 1, 2011 at 9:40 PM, jaybytez <[email protected]> wrote: > I am currently working with CXF/WSS4J to try and produce a digital signature. > > I believe I have all the correct options in place with the following code: > > *Spring Context* > > <bean id="wss4jOutInterceptor" > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="Signature"/> > <entry key="user" value="username"/> > <entry key="signatureUser" value="username" /> > <entry key="signatureKeyIdentifier" > value="X509KeyIdentifier"/> > <entry key="signatureParts" > value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> > <entry key="signaturePropFile" > value="signature-wss4j.properties"/> > <entry key="passwordCallbackRef"> > <bean > class="com.foo.PasswordCallbackHandler"> > <property name="password" > value="password"/> > </bean> > </entry> > </map> > </constructor-arg> > </bean> > > *signature-wss4j.properties* > > > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=jks > org.apache.ws.security.crypto.merlin.keystore.password=password > org.apache.ws.security.crypto.merlin.keystore.alias=username > org.apache.ws.security.crypto.merlin.file=keystore.jks > > > When I submit my request using the previous interceptor configuration which > is configured via the org.apache.cxf.jaxws.JaxWsProxyFactoryBean, the SOA > product we are submitting to fails to auth the signature (and says "Failed > to gather credentials"). > > The products documentation states the following: > > / > From the SOA Security Manager manual: > *Required XML Document Elements for XML-DSIG Authentication* > For the XML-DSIG authentication scheme to work, the XML document sent by the > web service consumer must contain the following elements: > *<Signature>* > As the parent element for the XML signature, it specifies all information > relevant to the digital signature. To verify the signature, SOA Security > Manager requires that an X.509 certificate be part of the <Signature> > element in the XML document. Because the Policy Server does not interact > with a Certificate Authority for this scheme, you must configure a > certificate mapping that maps the Issuer DN in the certificate to a > corresponding entry in the referenced user store. For LDAP user directories > only, you can configure the certificate mapping to require that a copy of > the certificate is in the user store to be compared against the certificate > in the document. > *<KeyInfo>* > This element specifies the key needed to validate the signature. This > information may include keys, names, and certificates for the sender. For > the Policy Server to authenticate a client, this element must have enough > information to determine the public key that created the signature. > *<KeyName>* > This is a child element of <KeyInfo>; it contains a string value that > identifies the key to the recipient of the XML document. This string could > be a key index, a distinguished name (DN), or an email address, for > example./ > > So the thought is that I am missing KeyName in the signature that is getting > generated, but I haven't found any properties that would let me set that > value in the KeyInfo. Are there properties that would give me control of > this? > > I have read through the CXF documentation, Spring Web Services (for WSS4J > examples), WSS4J, and FuseSource Security docs...but I can't seem to find > what I am looking for. > > Thanks for the time and help, > > Jay Blanton > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/KeyName-within-a-Digital-Signature-Configurable-tp4656619p4656619.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
