Hi. I finally solved it! Now I'm able to access the SmartCard perfectly. I'll now try to look for a way to make my implementation more generic so anyone can implement a KeystoreManager for himself, in case someone gets stuck in a problem similar to mine. I'd be willing to share it if you think it will become useful.
Again, thanks a lot. Sebastian Gomez. On Thu, Feb 21, 2008 at 12:49 PM, Sebastian Gomez <[EMAIL PROTECTED]> wrote: > Thanks a lot! I'll have a good look at it and I hope to be able to solve > the problem. > > Best regards. > On Thu, Feb 21, 2008 at 12:35 PM, Guillaume Nodet <[EMAIL PROTECTED]> > wrote: > > > Well, googling a bit, I found that Sun provides a security provider > > based on smart cards: > > http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html > > > > See > > http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#Login > > for how to create a KeyStore from the smart card. > > > > On Thu, Feb 21, 2008 at 12:24 PM, Guillaume Nodet <[EMAIL PROTECTED]> > > wrote: > > > For SSL, I think the key methods are: > > > KeyStoreInstance#getKeyManager > > > KeyStoreInstance#getTrustManager > > > > > > Take a look at createSSLServerFactory method in BaseKeystoreManager > > as this is > > > the one that creates the SSL socket using the two methods above. > > > > > > At the end, you may have to implement the following interfaces: > > > javax.net.ssl.X509TrustManager > > > javax.net.ssl.X509KeyManager > > > and return your own instances of these interfaces in the two methods > > > mentioned above. > > > > > > > > > > > > On Thu, Feb 21, 2008 at 11:40 AM, Sebastian Gomez <[EMAIL PROTECTED]> > > wrote: > > > > Hello. > > > > > > > > I've been very busy these last weeks therefore I haven't been able > > to start > > > > implementing my patch until now. I made the changes recommended > > (for which I > > > > thank you a lot) but I have come up to a new problem. I'm not sure > > of the > > > > scale of the problem, because I'm not sure if I have configured > > the > > > > SSLSocket correctly (mostly because of my quite limited knowledge > > on SSL > > > > security). I'll tell you what the problem is and lets hope you > > know where I > > > > should be aiming to solve it: > > > > > > > > First of all I created a CustomKeystoreManager and a > > CustomKeystoreInstance > > > > class. Then, in the HttpEndpoint I instantiate them in the > > > > getKeystoreManager() method. They seem to work fine until the > > > > SSLSocketFactory is created, because when it sends the message, a > > > > HandshakeException is thrown. Debugging I have seen that the > > > > CustomKeystoreInstance.getCertificate(String alias) method is > > never called, > > > > so obviously, without the Certificate, the message exchange is > > never going > > > > to work. After that, I undid all my changes to see where a normal > > message > > > > exchange using a file certificate (*.p12 and *.jks) calls the > > > > FileKeystoreInstance.getCertificate(String alias) method, but it > > doesn't > > > > seem to do it! So my idea of implementing a new getCertificate() > > method > > > > looks like it would not work. > > > > > > > > Do you have any idea when and where the Certificates are read (i.ethe > > > call > > > > to getCertificate() or getCertificateChain())? Should I be doing > > something > > > > with the certificate before initializing the SSLContext in the > > > > CustomKeystoreManager.createSSLServerFactory method? > > > > > > > > Please help. this problem is blocking my progress in my project. > > Thanks in > > > > advance. > > > > > > > > Sebastian Gomez. > > > > > > > > > > > > On Thu, Jan 24, 2008 at 1:15 AM, Guillaume Nodet <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > On Jan 23, 2008 6:42 PM, Sebastian Gomez <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > > > Hello again. > > > > > > > > > > > > First of all, thanks a lot for helping me resolve this problem > > I've > > > > > > encountered. > > > > > > > > > > > > I've been trying to locate the part of the code where I should > > start > > > > > > implementing my patch but I haven't decided yet. I agree with > > you on > > > > > > modifying the getKeystoreManager() method from HttpEndpoint, > > but I think > > > > > I > > > > > > should rewrite the method instead of overriding it (I > > understand > > > > > > overriding > > > > > > would mean creating a new class extending HttpEndpoint). Do > > you think my > > > > > > assumption is correct or do you really think I should create a > > new > > > > > class? > > > > > > > > > > > > > > > Rewriting is the way to go > > > > > > > > > > > > > > > > > > > > > > > I've thought on the idea of adding a KeystoreManager field to > > the > > > > > > HttpEndpoint. My idea would be to add a new sslParameter in > > the > > > > > > xbean.xmlfile, but that would mean modifying the > > > > > > servicemix-http.xsd wouldn't it? Would it be a problem? Doing > > this would > > > > > > allow me to do something like "if > > > (this.getSsl().getKeyStoreManager() > > == > > > > > > null)" in the getKeystoreManager() method. Returning "true" > > would mean > > > > > the > > > > > > parameter has not been specified, so I would let the > > HttpComponent be > > > > > > initialized as it has been done until now, but returning > > "false" would > > > > > > mean creating and returning a new instance of the specified > > > > > > KeystoreManager. > > > > > > Does this make sense to you, or am I missing something out? > > > > > > > > > > > > > > > Yeah, definitely. The servicemix-http schema is generated > > automatically > > > > > from the > > > > > java source code, so adding a getter to the SslParams class will > > do the > > > > > trick. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best regards. > > > > > > > > > > > > Sebastian Gomez. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Jan 21, 2008 8:30 PM, Guillaume Nodet <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > > > > > I think the easiest way would be to add a KeystoreManager > > field on the > > > > > > > HttpEndpoint and override > > > > > > > the getKeystoreManager() method from HttpEndpoint [1]. > > > > > > > It doesn't seem you actually need to work with the > > HttpComponent or > > > > > > > HttpConfiguration directly. > > > > > > > > > > > > > > FYI, the defaut KeystoreManager is retrieved from the > > HttpComponent in > > > > > > the > > > > > > > doInit() method [2]. > > > > > > > > > > > > > > Hopes this helps, > > > > > > > > > > > > > > [1] > > > > > > > > > > > > > > > > > > > > > > > > > > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpEndpoint.java?revision=602826&view=markup > > > > > > > [2] > > > > > > > > > > > > > > > > > > > > > > > > > > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/HttpComponent.java?revision=602826&view=markup > > > > > > > > > > > > > > On Jan 21, 2008 8:11 PM, Sebas Gomez <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > > > > > > > Hi. > > > > > > > > > > > > > > > > I have decided to create the patch to configure the > > KeyStoreInstance > > > > > > > > directly on the endpoint, and I would be willing to share > > it, but I > > > > > > > think > > > > > > > > I > > > > > > > > will need a little orientation. I've been trying to trace > > > > > > > > the initialization of the http-component, but I haven't > > been able to > > > > > > > find > > > > > > > > where the KeystoreInstance is created. Would it be > > possible for you > > > > > to > > > > > > > > point > > > > > > > > me out where it is done? > > > > > > > > > > > > > > > > Thank you. > > > > > > > > On Jan 21, 2008 4:45 PM, Guillaume Nodet <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > > > > > > > > > Implementing a KeyStoreInstance manager is the way to > > go. > > > > > > > > > Currently, the only way to configure it is to go to the > > JMX mbean > > > > > > > > > associated > > > > > > > > > with the servicemix-http component and change the > > > > > > keystoreManagerName > > > > > > > to > > > > > > > > a > > > > > > > > > new entry in the JNDI tree where you would put your own > > > > > > > implementation. > > > > > > > > > You'd also have to register it in the conf/jndi.xml > > configuration > > > > > > > file. > > > > > > > > > This is not very easy, so if you're fancy providing a > > patch to > > > > > > > configure > > > > > > > > > it > > > > > > > > > on the endpoint directly, i'd be happy to apply it. > > > > > > > > > > > > > > > > > > On Jan 18, 2008 2:31 PM, Sebas Gomez <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > > > > > > > > > > > Hi. > > > > > > > > > > > > > > > > > > > > Thanks for the quick answer. > > > > > > > > > > > > > > > > > > > > I only retieve the certificate from the card, nothing > > else. I > > > > > > think > > > > > > > > the > > > > > > > > > > easiest way of getting the certificate would be > > implementing a > > > > > > > custom > > > > > > > > > > KeyStoreInstance but I can't find the place in the > > configuration > > > > > > of > > > > > > > > the > > > > > > > > > > servicemix-http component where to tell ServiceMix to > > use it. I > > > > > > > > suppose > > > > > > > > > it > > > > > > > > > > should be in one of the sslParameters, but I don't > > know which > > > > > one. > > > > > > > > > > > > > > > > > > > > The other possibility would be to subclass the > > servicemix-http, > > > > > > but > > > > > > > I > > > > > > > > > > think > > > > > > > > > > the easy solution would be the one explained on the > > paragraph > > > > > > above. > > > > > > > > > > > > > > > > > > > > Would it be possible to implement my custom > > KeystoreInstance or > > > > > > > should > > > > > > > > I > > > > > > > > > > be > > > > > > > > > > thinking of subclassing the component? > > > > > > > > > > > > > > > > > > > > Best regards. > > > > > > > > > > > > > > > > > > > > Sebastian Gomez > > > > > > > > > > > > > > > > > > > > On Jan 18, 2008 1:24 PM, Guillaume Nodet < > > [EMAIL PROTECTED]> > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > I'm not aware of anything done on this subject. > > > > > > > > > > > What kind of data do you retrieve from the smartcard > > and how ? > > > > > > > > > > > Do you simply retrieve the certificate ? > > > > > > > > > > > servicemix-http uses an abstraction on top of a > > keystore so > > > > > you > > > > > > > may > > > > > > > > be > > > > > > > > > > > able to implement you own that would delegate calls > > to the > > > > > > > smartcard > > > > > > > > > > > somehow. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://svn.apache.org/viewvc/servicemix/smx3/trunk/core/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/keystore/KeystoreInstance.java?revision=602826&view=markup > > > > > > > > > > > > > > > > > > > > > > On Jan 18, 2008 11:07 AM, Sebas Gomez < > > [EMAIL PROTECTED]> > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > Hello. > > > > > > > > > > > > > > > > > > > > > > > > I need to access a web service secured with > > WS-Security > > > > > using > > > > > > a > > > > > > > > > Smart > > > > > > > > > > > > Card. > > > > > > > > > > > > If I had the security certificate in local, I know > > I could > > > > > set > > > > > > > the > > > > > > > > > > > > http:sslParameters with the path of the keystore > > and its > > > > > > > keystore > > > > > > > > > > > > password, > > > > > > > > > > > > but this is not the case. > > > > > > > > > > > > > > > > > > > > > > > > I suppose I will have to extend either > > servicemix-http or > > > > > > > > > > servicemix-cxf > > > > > > > > > > > > to > > > > > > > > > > > > support reading smart cards, but I don't know if > > there is an > > > > > > > > easier > > > > > > > > > > > > workaround. > > > > > > > > > > > > > > > > > > > > > > > > Is there anything similar already implemented? If > > not, I > > > > > would > > > > > > > > > > > appreciate > > > > > > > > > > > > any kind of indication as to what would be the > > best way to > > > > > > solve > > > > > > > > > this > > > > > > > > > > > > problem. > > > > > > > > > > > > > > > > > > > > > > > > Best regards. > > > > > > > > > > > > > > > > > > > > > > > > Sebastian Gomez > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Cheers, > > > > > > > > > > > Guillaume Nodet > > > > > > > > > > > ------------------------ > > > > > > > > > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Cheers, > > > > > > > > > Guillaume Nodet > > > > > > > > > ------------------------ > > > > > > > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Cheers, > > > > > > > Guillaume Nodet > > > > > > > ------------------------ > > > > > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Cheers, > > > > > Guillaume Nodet > > > > > ------------------------ > > > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Cheers, > > > Guillaume Nodet > > > ------------------------ > > > Blog: http://gnodet.blogspot.com/ > > > > > > > > > > > -- > > Cheers, > > Guillaume Nodet > > ------------------------ > > Blog: http://gnodet.blogspot.com/ > > > >
