Hi Ted, I see that your crypto provider returns null for private keys and says always false by verifyTrust(). If you manage your private keys in keystore, you should initialize default WSS4J Merlin crypto provider with that keystore and delegate getPrivateKey() calls to Merlin. verifyTrust() must validate certificate (you can just return true for quick test).
As a sample look into XKMS Crypto provider implementation contributed with XKMS: https://svn.apache.org/repos/asf/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto . Some information you will find in my blog: http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html . Regards, Andrei. From: Ted Roeloffzen [mailto:[email protected]] Sent: Dienstag, 30. Juli 2013 11:51 To: Andrei Shakirin Subject: Re: CXF WS-security policy question Hi all, This is a code snippet of what i'm doing. public class TestCertificateProviderInterceptor extends AbstractPhaseInterceptor<Message> { public static class TestCertificateHolder extends CryptoBase { protected X509Certificate trustedCert; public TestCertificateHolder (X509Certificate trustedCert) { this.trustedCert = trustedCert; setDefaultX509Identifier(""); } @Override public X509Certificate[] getX509Certificates(CryptoType cryptoType){ X509Certificate[] certificates = {trustedCert}; return certificates; } @Override public String getX509Identifier(X509Certificate cert) { return null; } @Override public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) { return null; } @Override public PrivateKey getPrivateKey(String identifier, String password) { return null; } @Override @Deprecated public boolean verifyTrust(X509Certificate[] certs) { return false; } @Override public boolean verifyTrust(X509Certificate[] certs, boolean enableRevocation) { return false; } @Override public boolean verifyTrust(PublicKey publicKey) { return false; } } private CertificateHolder holder; public TestCertificateProviderInterceptor(CertificateHolder holder) { super(Phase.PRE_LOGICAL); this.holder = holder; } @Override public void handleMessage(Message message) throws Fault { TestCertificateHolder store = new TestCertificateHolder (holder.getCertificate()); message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, store); } } Could it be a problem that I'm not overriding the standard implementation of the verifyTrust-methods? king regards, Ted Roeloffzen 2013/7/12 Andrei Shakirin <[email protected]<mailto:[email protected]>> Hi Ted, I used own CryptoBase extension for signature and encryption, so basically it should work. How you set the SIGNATURE_CRYPTO crypto, in configuration or in interceptor? Do you apply it to whole client or to message? Simple test case will be of course very helpful. Absolutely not a problem to get it in two weeks or later. Regards, Andrei. > -----Original Message----- > From: Ted Roeloffzen > [mailto:[email protected]<mailto:[email protected]>] > Sent: Freitag, 12. Juli 2013 16:06 > To: users; Colm O hEigeartaigh > Subject: Re: CXF WS-security policy question > > Hi Colm, > > I hoped there would be a quick fix for the problem, because i'm going on a > vacation tomorrow and won't be taking my laptop with me. > Because of my vacation i'm unable to create a test case or a patch. > If this problem is still there in 2 weeks, i would be happy to take a look at > it. > > kind regards, > > Ted > > > 2013/7/12 Colm O hEigeartaigh > <[email protected]<mailto:[email protected]>> > > > Hi Ted, > > > > It's likely there are some bugs in the code surrounding the use of > > such a Crypto implementation. Would it be possible to share a > > test-case or are you interested in providing a patch for this issue? > > > > Colm. > > > > > > On Fri, Jul 12, 2013 at 2:41 PM, Ted Roeloffzen > > <[email protected]<mailto:[email protected]> > > >wrote: > > > > > Hi Andrei, > > > > > > Thanks for your advice. > > > I created a class thats implements Crypto, actually it extends > > CryptoBase, > > > but now i get the message: No callback handler and no password > > > available Do I have to repeat the same thing here? Just create > > > somewhat of a dummy implementation of CallbackHandler? > > > > > > Kind regards, > > > > > > Ted > > > > > > > > > 2013/7/12 Andrei Shakirin > > > <[email protected]<mailto:[email protected]>> > > > > > > > Hi Ted, > > > > > > > > I assume that your CertificateStore object implements wss4j > > > > org.apache.ws.security.components.crypto .Crypto interface, does it? > > > > The reason why CXF needs SIGNATURE_USERNAME property is the > following: > > > > even single CXF client can be used by multiple users having > > > > different private and public keys. > > > > Therefore Crypto interface provides method getX509Certificates() > > > > with CryptoType argument, that specifies keystore alias (or other > > > > X509 > > > > identifier) to be used. > > > > > > > > If you always has only one user and single certificate, you can > > > > provide any non-empty value in Crypto.getDefaultX509Identifier() > > > > method and > > just > > > > ignore it in Crypto.getX509Certificates(). > > > > > > > > Regards, > > > > Andrei. > > > > > > > > > -----Original Message----- > > > > > From: Ted Roeloffzen > > > > > [mailto:[email protected]<mailto:[email protected]>] > > > > > Sent: Freitag, 12. Juli 2013 11:31 > > > > > To: users > > > > > Subject: CXF WS-security policy question > > > > > > > > > > Hi All, > > > > > > > > > > I'm trying to create a webservice client that uses the > > > > > securitypolicy > > > > which is > > > > > specified in the WSDL. > > > > > As the certificate that is used for this client has to be loaded > > > > > from > > > the > > > > > database i created a Interceptor that sets the SIGNATURE_CRYPTO > > > property > > > > > with a CertificateStore object that contains the correct certificate. > > > > > When i try to send a message i get the following error-message: > > > > > No configured signature username detected > > > > > > > > > > Because there is only one certificate in the CertificateStore, > > > > > there > > is > > > > no need > > > > > for a username. But nonetheless I get this error. > > > > > > > > > > Can anyone point me in the right direction? > > > > > > > > > > Greate many thanks. > > > > > > > > > > Kind regards, > > > > > > > > > > Ted Roeloffzen > > > > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > >
