Hi Colm,
This is what worked in the end for me, I’m now trying to work out how to get
back to SOAP from the server response, i.e. I’m writing decodeSOAP.
private SOAPMessage encodeSOAP(SOAPMessage soapMessage) throws Exception {
SOAPPart soapPart = soapMessage.getSOAPPart();
SOAPEnvelope soapEnvelope = soapPart.getEnvelope();
//Might be a workaround to the fact the WSDL has ws.live.ie and we are
using ws.test.ie etc
soapEnvelope.addNamespaceDeclaration( "dl","http://ws.live.ie/v1/DL-WS/";);
WSSecEncrypt builder = new WSSecEncrypt();
WSSecTimestamp builderTS = new WSSecTimestamp();
WSSecSignature builderSig = new WSSecSignature();
java.security.cert.X509Certificate recipientCert = (X509Certificate)
keysRSA.getks().getCertificate("wsstestservice");
java.security.cert.X509Certificate ourCert = (X509Certificate)
keysRSA.getks().getCertificate("wsstest");
builder.setUseThisCert(recipientCert);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
builder.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
builderTS.setTimeToLive(5000);
Document doc = soapEnvelope.getOwnerDocument();
org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
{//Sign the Timestamp and the body this block replaces
builderSig.build(doc, crypto, secHeader)
builderSig.setX509Certificate(ourCert);
builderSig.setUserInfo("wsstest", "password1");
builderSig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
SOAPConstants soapConstants =
org.apache.wss4j.dom.util.WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
List<WSEncryptionPart> wsEncryptionParts = new
ArrayList<WSEncryptionPart>();
WSEncryptionPart wsEncryptionPart = new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(), "Content");
wsEncryptionParts.add(wsEncryptionPart);
builderTS.build(doc, secHeader);
wsEncryptionParts.add(new WSEncryptionPart(builderTS.getId()));
builderSig.setParts(wsEncryptionParts);
builderSig.setUseSingleCertificate(true);
builderSig.prepare(doc, this.crypto, secHeader);
builderSig.appendBSTElementToHeader(secHeader);
List<javax.xml.crypto.dsig.Reference> referenceList =
builderSig.addReferencesToSign(wsEncryptionParts, secHeader);
builderSig.computeSignature(referenceList);
}
try
{
builder.build(doc, this.crypto, secHeader);
}
catch (WSSecurityException e)
{
System.err.println("Failed in builder block: " + e.getMessage());
e.printStackTrace();
System.exit(1);
}
return soapMessage;
}
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: 08 August 2014 10:56
To: Adrian Williamson
Cc: [email protected]
Subject: Re: Does anyone have an example of using WSSecEncrypt.setUseThisCert()
> builder.setKeyEnc(WSConstants.TRIPLE_DES);
> builder.setEncryptSymmKey(false);
This is not valid. Triple Des is a symmetric encryption algorithm, and not a
key transport algorithm. Also, you want to encrypt the symmetric key here
(using the X.509 Certificate). So just comment out the
"setEncryptSymmKey(false)" call + change "setKeyEnc" to
"setSymmetricEncAlgorithm" and it should work.
> Should the WSSecSignature.setX509Certificate method take care of that?
No, because you need to specify a username + password as well to access the
private key required to sign the request.
Colm.
On Wed, Aug 6, 2014 at 4:57 PM, Adrian Williamson <[email protected]>
wrote:
Hi,
I believe that I am using WSS4J 2.0.2, if you have a specific process for
understanding the version please don’t be shy – I’ll use it then we both know
that I will have given the correct info.
By core do you mean the JDK? If so then :
java version "1.7.0_55"
Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)
That error in particular I have avoided by using BST_DIRECT_REFERENCE, I’m
afraid I was doing that two-year-old learning technique of pressing all the
buttons at once, so I might have been the cause of the error – not knowing my
apples from pears:
//This gives Error when calling DDOperation: An invalid security token was
provided (Bad ValueType
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";)
java.security.cert.X509Certificate recipientCert = (X509Certificate)
keysRSA.getks().getCertificate("wsstestservice");
Document doc = soapEnvelope.getOwnerDocument();
org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();
builder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
builder.setKeyEnc(WSConstants.TRIPLE_DES);
builder.setEncryptSymmKey(false);
builder.setUseThisCert(recipientCert);
try
{
secHeader.insertSecurityHeader(doc);
builder.build(doc, crypto, secHeader);
}
catch (WSSecurityException e)
So I am not too worried about that as I have moved on.
I did find another issue with the WSSecSignature, when using the
WSSecSignature.setX509Certificate and then calling WSSecSignature.build it
throw a null identifier (merlin.java:744) for the GetPrivateKey() as the
calling context WSecSigniture.java:530 had this.user set to null, I worked out
that if I used WSSecSignature.setUserInfo and passed in the alias and the JKS
password then it stopped moaning and got on with it.
Should the WSSecSignature.setX509Certificate method take care of that?
My work in progress/prototype is below, I’m trying to mimic the SOAPUI WSS
specification:
I’ll go and look at those examples.
Cheers,
Adrian
PS Bonus points for identifying Cargo Cult sections….
private SOAPMessage encriptBody(SOAPMessage soapMessage) throws Exception {
SOAPPart soapPart = soapMessage.getSOAPPart();
SOAPEnvelope soapEnvelope = soapPart.getEnvelope();
WSSecEncrypt builder = new WSSecEncrypt();
WSSecTimestamp builderTS = new WSSecTimestamp();
WSSecSignature builderSig = new WSSecSignature();
Crypto crypto = null;
//Class constructor candidates
try {
//Where will I put the properties file?
crypto = CryptoFactory.getInstance("Ball.properties");
}
catch (WSSecurityException e)
{
System.err.println("Crypto crypto =
CryptoFactory.getInstance(\"Ball.properties\"): " + e.getMessage());
}
java.security.cert.X509Certificate recipientCert = (X509Certificate)
keysRSA.getks().getCertificate("wsstestservice");
java.security.cert.X509Certificate ourCert = (X509Certificate)
keysRSA.getks().getCertificate("wsclientcert");
builder.setUseThisCert(recipientCert);
builderSig.setX509Certificate(ourCert);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
builderTS.setTimeToLive(5000);
builderSig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
builderSig.setUserInfo("wsclientcert", "password1");
//End Class constructor candidates
Document doc = soapEnvelope.getOwnerDocument();
org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();
try
{
secHeader.insertSecurityHeader(doc);
builderTS.build(doc, secHeader);
builderSig.build(doc, crypto, secHeader);
builder.build(doc, crypto, secHeader);
}
catch (WSSecurityException e)
{
System.err.println("Failed in builder block: " + e.getMessage());
e.printStackTrace();
System.exit(1);
}
return soapMessage;
}
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: 06 August 2014 15:48
To: [email protected]
Subject: Re: Does anyone have an example of using WSSecEncrypt.setUseThisCert()
Here are some:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CryptoProviderTest.java?revision=1503186
<http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CryptoProviderTest.java?revision=1503186&view=co>
&view=co
What version of WSS4J? What does the request look like that is generating that
error + what core are you using to generate it?
Colm.
On Wed, Aug 6, 2014 at 9:35 AM, Adrian Williamson <[email protected]>
wrote:
Hi,
Has anyone got an example of how this method can be used?
I've trying different values for the WSSecEncrypt.setKeyIdentifierType() but
I keep getting application specific error messages back from the private
service I'm calling.
One of the error messages made me stop and ponder the extent of my
ignorance;
WSConstants.X509_KEY_IDENTIFIER it returned:
An invalid security token was provided (Bad ValueType
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-%0d%0a1.0#X509v3>
1.0#X509v3")
So I thought if someone had a nice little test case that used an X509
certificate to encrypt it might help me along.
So I can see how it is supposed to be done.
Thanks
Adrian
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
