Hi Andrei, The problem is that i don't have a keystore. The certificate is loaded from the database.
kind regards, Ted 2013/7/30 Andrei Shakirin <[email protected]> > Hi Ted, > > I see that your crypto provider returns null for private keys and says > always false by verifyTrust(). > If you manage your private keys in keystore, you should initialize default > WSS4J Merlin crypto provider with that keystore and delegate > getPrivateKey() calls to Merlin. > verifyTrust() must validate certificate (you can just return true for > quick test). > > As a sample look into XKMS Crypto provider implementation contributed with > XKMS: > https://svn.apache.org/repos/asf/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto. > > Some information you will find in my blog: > http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html. > > Regards, > Andrei. > > From: Ted Roeloffzen [mailto:[email protected]] > Sent: Dienstag, 30. Juli 2013 11:51 > To: Andrei Shakirin > Subject: Re: CXF WS-security policy question > > Hi all, > > This is a code snippet of what i'm doing. > > public class TestCertificateProviderInterceptor extends > AbstractPhaseInterceptor<Message> > { > public static class TestCertificateHolder extends CryptoBase > { > protected X509Certificate trustedCert; > > public TestCertificateHolder (X509Certificate trustedCert) > { > this.trustedCert = trustedCert; > setDefaultX509Identifier(""); > } > > @Override > public X509Certificate[] getX509Certificates(CryptoType > cryptoType){ > X509Certificate[] certificates = {trustedCert}; > return certificates; } > > @Override > public String getX509Identifier(X509Certificate cert) > { > return null; > } > > @Override > public PrivateKey getPrivateKey(X509Certificate certificate, > CallbackHandler callbackHandler) > { > return null; > } > > @Override > public PrivateKey getPrivateKey(String identifier, String password) > { > return null; > } > > @Override > @Deprecated > public boolean verifyTrust(X509Certificate[] certs) > { > return false; > } > > @Override > public boolean verifyTrust(X509Certificate[] certs, boolean > enableRevocation) > { > return false; > } > > @Override > public boolean verifyTrust(PublicKey publicKey) > { > return false; > } > > } > > private CertificateHolder holder; > > public TestCertificateProviderInterceptor(CertificateHolder holder) > { > super(Phase.PRE_LOGICAL); > this.holder = holder; > } > > @Override > public void handleMessage(Message message) throws Fault > { > TestCertificateHolder store = > new TestCertificateHolder (holder.getCertificate()); > > message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, > store); > } > } > Could it be a problem that I'm not overriding the standard implementation > of the verifyTrust-methods? > king regards, > > Ted Roeloffzen > > > 2013/7/12 Andrei Shakirin <[email protected]<mailto: > [email protected]>> > Hi Ted, > > I used own CryptoBase extension for signature and encryption, so basically > it should work. > How you set the SIGNATURE_CRYPTO crypto, in configuration or in > interceptor? Do you apply it to whole client or to message? > > Simple test case will be of course very helpful. Absolutely not a problem > to get it in two weeks or later. > > Regards, > Andrei. > > > -----Original Message----- > > From: Ted Roeloffzen [mailto:[email protected]<mailto: > [email protected]>] > > Sent: Freitag, 12. Juli 2013 16:06 > > To: users; Colm O hEigeartaigh > > Subject: Re: CXF WS-security policy question > > > > Hi Colm, > > > > I hoped there would be a quick fix for the problem, because i'm going on > a > > vacation tomorrow and won't be taking my laptop with me. > > Because of my vacation i'm unable to create a test case or a patch. > > If this problem is still there in 2 weeks, i would be happy to take a > look at it. > > > > kind regards, > > > > Ted > > > > > > 2013/7/12 Colm O hEigeartaigh <[email protected]<mailto: > [email protected]>> > > > > > Hi Ted, > > > > > > It's likely there are some bugs in the code surrounding the use of > > > such a Crypto implementation. Would it be possible to share a > > > test-case or are you interested in providing a patch for this issue? > > > > > > Colm. > > > > > > > > > On Fri, Jul 12, 2013 at 2:41 PM, Ted Roeloffzen > > > <[email protected]<mailto:[email protected]> > > > >wrote: > > > > > > > Hi Andrei, > > > > > > > > Thanks for your advice. > > > > I created a class thats implements Crypto, actually it extends > > > CryptoBase, > > > > but now i get the message: No callback handler and no password > > > > available Do I have to repeat the same thing here? Just create > > > > somewhat of a dummy implementation of CallbackHandler? > > > > > > > > Kind regards, > > > > > > > > Ted > > > > > > > > > > > > 2013/7/12 Andrei Shakirin <[email protected]<mailto: > [email protected]>> > > > > > > > > > Hi Ted, > > > > > > > > > > I assume that your CertificateStore object implements wss4j > > > > > org.apache.ws.security.components.crypto .Crypto interface, does > it? > > > > > The reason why CXF needs SIGNATURE_USERNAME property is the > > following: > > > > > even single CXF client can be used by multiple users having > > > > > different private and public keys. > > > > > Therefore Crypto interface provides method getX509Certificates() > > > > > with CryptoType argument, that specifies keystore alias (or other > > > > > X509 > > > > > identifier) to be used. > > > > > > > > > > If you always has only one user and single certificate, you can > > > > > provide any non-empty value in Crypto.getDefaultX509Identifier() > > > > > method and > > > just > > > > > ignore it in Crypto.getX509Certificates(). > > > > > > > > > > Regards, > > > > > Andrei. > > > > > > > > > > > -----Original Message----- > > > > > > From: Ted Roeloffzen [mailto:[email protected]<mailto: > [email protected]>] > > > > > > Sent: Freitag, 12. Juli 2013 11:31 > > > > > > To: users > > > > > > Subject: CXF WS-security policy question > > > > > > > > > > > > Hi All, > > > > > > > > > > > > I'm trying to create a webservice client that uses the > > > > > > securitypolicy > > > > > which is > > > > > > specified in the WSDL. > > > > > > As the certificate that is used for this client has to be loaded > > > > > > from > > > > the > > > > > > database i created a Interceptor that sets the SIGNATURE_CRYPTO > > > > property > > > > > > with a CertificateStore object that contains the correct > certificate. > > > > > > When i try to send a message i get the following error-message: > > > > > > No configured signature username detected > > > > > > > > > > > > Because there is only one certificate in the CertificateStore, > > > > > > there > > > is > > > > > no need > > > > > > for a username. But nonetheless I get this error. > > > > > > > > > > > > Can anyone point me in the right direction? > > > > > > > > > > > > Greate many thanks. > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Ted Roeloffzen > > > > > > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > >
