Ok, I understand the problem now (I think). You can specify the private key password either in the Crypto properties file or else via a CallbackHandler. However, you can only specify the keystore password in the Crypto properties file. You have two options here:
a) If you're worried about putting a plaintext password in a file, you can encrypt the password and use a CallbackHandler to retrieve a master key for decryption. b) You can write your own Crypto instance. Simply override Merlin and change the logic in terms of where it retrieves a password from. Colm. On Fri, Jul 22, 2016 at 2:44 PM, Emulator <[email protected]> wrote: > Hi Colm: > Please take a look my second post, now the private key has no problem > with PasswordCallback(though I don't know why it needs "UsernameToken" to > be > added to Action), but I also need keystone password encrypted or set by > PasswordCallback(or any other way out from properties). > > So I need to remove > org.apache.wss4j.crypto.merlin.keystore.password=password or decrypt this > value. > > If you are looking the reason for adding UsernameToken, can you provide > a example wsdl for me to make a quick example? I am not that familiar with > wsdl definition. > > Regards, > Victor Chen > > > coheigea wrote > > Hi, > > > > I can't reproduce this problem. For example, see the following CXF test > > configuration (search for "*DoubleItSignedTimestampPort")*: > > > > > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml;h=ad76afe61c83b576059acd9791394910de2f691f;hb=HEAD > > > > A passwordCallbackClass is specified. "alice.properties" does not have > the > > private key specified in it: > > > > > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/alice.properties;h=f2dbb4b60bdd6adba0ab3f07ba82850c9f58fd9b;hb=HEAD > > > > Could you create a quick test-case to reproduce the problem and I'll take > > a > > look? Failing that, you could try debugging the WSS4J code. The > > CallbackHandler is queried in WSHandler.getPasswordCB, called in turn > from > > the SignatureAction class. > > > > Colm. > > > > > > On Fri, Jul 22, 2016 at 9:33 AM, Emulator < > > > emulator.chen@ > > > > wrote: > > > >> A quick update, I found that I add UsernameToken into Action, now the > >> private > >> key password works. > >> But when I try to remove the keystone password or modify wrong one, > >> PasswordCallback is constructed but never call handle method and throw > >> such > >> exception: > >> > >> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Failed to > >> load > >> credentials. > >> Original Exception was java.io.IOException: Keystore was tampered with, > >> or > >> password was incorrect > >> at org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:397) > >> at > >> org.apache.wss4j.common.crypto.Merlin.loadProperties(Merlin.java:218) > >> at org.apache.wss4j.common.crypto.Merlin. > > <init> > > (Merlin.java:151) > >> at > >> > >> > org.apache.wss4j.common.crypto.CryptoFactory.getInstance(CryptoFactory.java:127) > >> ... 46 more > >> Caused by: java.io.IOException: Keystore was tampered with, or password > >> was > >> incorrect > >> at > >> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) > >> at > >> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) > >> at > >> > >> > sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) > >> at > >> > >> > sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) > >> at java.security.KeyStore.load(KeyStore.java:1445) > >> at org.apache.wss4j.common.crypto.Merlin.load(Merlin.java:391) > >> ... 49 more > >> Caused by: java.security.UnrecoverableKeyException: Password > verification > >> failed > >> at > >> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) > >> ... 54 more > >> > >> > >> > >> -- > >> View this message in context: > >> > http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770580.html > >> Sent from the cxf-user mailing list archive at Nabble.com. > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Password-Callback-did-not-fire-tp5770579p5770592.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
