> builder.setKeyEnc(WSConstants.TRIPLE_DES); > builder.setEncryptSymmKey(false);
This is not valid. Triple Des is a symmetric encryption algorithm, and not a key transport algorithm. Also, you want to encrypt the symmetric key here (using the X.509 Certificate). So just comment out the "setEncryptSymmKey(false)" call + change "setKeyEnc" to "setSymmetricEncAlgorithm" and it should work. > Should the WSSecSignature.setX509Certificate method take care of that? No, because you need to specify a username + password as well to access the private key required to sign the request. Colm. On Wed, Aug 6, 2014 at 4:57 PM, Adrian Williamson <[email protected]> wrote: > Hi, > > > > I believe that I am using WSS4J 2.0.2, if you have a specific process for > understanding the version please don’t be shy – I’ll use it then we both > know that I will have given the correct info. > > > > By core do you mean the JDK? If so then : > > > > java version "1.7.0_55" > > Java(TM) SE Runtime Environment (build 1.7.0_55-b13) > > Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) > > > > That error in particular I have avoided by using BST_DIRECT_REFERENCE, I’m > afraid I was doing that two-year-old learning technique of pressing all the > buttons at once, so I might have been the cause of the error – not knowing > my apples from pears: > > > > //This gives Error when calling DDOperation: An invalid security token > was provided (Bad ValueType " > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > ") > > > > > > java.security.cert.X509Certificate recipientCert = (X509Certificate) > keysRSA.getks().getCertificate("wsstestservice"); > > Document doc = soapEnvelope.getOwnerDocument(); > > org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader(); > > > > builder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); > > builder.setKeyEnc(WSConstants.TRIPLE_DES); > > builder.setEncryptSymmKey(false); > > builder.setUseThisCert(recipientCert); > > > > try > > { > > secHeader.insertSecurityHeader(doc); > > builder.build(doc, crypto, secHeader); > > } > > catch (WSSecurityException e) > > > > So I am not too worried about that as I have moved on. > > > > I did find another issue with the WSSecSignature, when using the > WSSecSignature.setX509Certificate and then calling WSSecSignature.build it > throw a null identifier (merlin.java:744) for the GetPrivateKey() as the > calling context WSecSigniture.java:530 had this.user set to null, I worked > out that if I used WSSecSignature.setUserInfo and passed in the alias and > the JKS password then it stopped moaning and got on with it. > > > > Should the WSSecSignature.setX509Certificate method take care of that? > > > > My work in progress/prototype is below, I’m trying to mimic the SOAPUI WSS > specification: > > > > > > I’ll go and look at those examples. > > > > Cheers, > > > > Adrian > > PS Bonus points for identifying Cargo Cult sections…. > > > > > > > > private SOAPMessage encriptBody(SOAPMessage soapMessage) throws Exception > { > > SOAPPart soapPart = soapMessage.getSOAPPart(); > > SOAPEnvelope soapEnvelope = soapPart.getEnvelope(); > > > > WSSecEncrypt builder = new WSSecEncrypt(); > > WSSecTimestamp builderTS = new WSSecTimestamp(); > > WSSecSignature builderSig = new WSSecSignature(); > > > > > > Crypto crypto = null; > > //Class constructor candidates > > try { > > //Where will I put the properties file? > > crypto = CryptoFactory.getInstance("Ball.properties"); > > } > > catch (WSSecurityException e) > > { > > System.err.println("Crypto crypto = > CryptoFactory.getInstance(\"Ball.properties\"): " + e.getMessage()); > > } > > java.security.cert.X509Certificate recipientCert = (X509Certificate) > keysRSA.getks().getCertificate("wsstestservice"); > > java.security.cert.X509Certificate ourCert = (X509Certificate) > keysRSA.getks().getCertificate("wsclientcert"); > > > > builder.setUseThisCert(recipientCert); > > builderSig.setX509Certificate(ourCert); > > > > builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); > > builderTS.setTimeToLive(5000); > > builderSig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); > > builderSig.setUserInfo("wsclientcert", "password1"); > > //End Class constructor candidates > > > > > > Document doc = soapEnvelope.getOwnerDocument(); > > org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader(); > > > > try > > { > > secHeader.insertSecurityHeader(doc); > > builderTS.build(doc, secHeader); > > builderSig.build(doc, crypto, secHeader); > > builder.build(doc, crypto, secHeader); > > } > > catch (WSSecurityException e) > > { > > System.err.println("Failed in builder block: " + e.getMessage()); > > e.printStackTrace(); > > System.exit(1); > > } > > > > return soapMessage; > > } > > > > > > > > *From:* Colm O hEigeartaigh [mailto:[email protected]] > *Sent:* 06 August 2014 15:48 > *To:* [email protected] > *Subject:* Re: Does anyone have an example of using > WSSecEncrypt.setUseThisCert() > > > > > > Here are some: > > > http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CryptoProviderTest.java?revision=1503186&view=co > > What version of WSS4J? What does the request look like that is generating > that error + what core are you using to generate it? > > Colm. > > > > On Wed, Aug 6, 2014 at 9:35 AM, Adrian Williamson <[email protected]> > wrote: > > Hi, > > Has anyone got an example of how this method can be used? > > I've trying different values for the WSSecEncrypt.setKeyIdentifierType() > but > I keep getting application specific error messages back from the private > service I'm calling. > > One of the error messages made me stop and ponder the extent of my > ignorance; > > WSConstants.X509_KEY_IDENTIFIER it returned: > > An invalid security token was provided (Bad ValueType > " > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- > 1.0#X509v3 > <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-%0d%0a1.0#X509v3> > ") > > So I thought if someone had a nice little test case that used an X509 > certificate to encrypt it might help me along. > > So I can see how it is supposed to be done. > > Thanks > > Adrian > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
