|
I have been working on trying to get a full circle set of services to
work with .NET and MS Policies, etc. Started slow, making project with
axis, ws-addressing, and wss4j. I’ve actually been successful and am now trying to set up the
real certificates and private keys I will be using. I moved to a PKCS12 keystore that I’m managing with keyman.
I have a private key and a public certificate that is linked to its CAs. (2 in
the hierarchy) I have a question and a confirmation of what I’ve done. ============== 1) I am signing body parts and addresses with the private key. Note
that the private key doesn’t have a password on it, That
appears to work, I am accessing the keystore properly, etc. I am now “simply” trying to encrypt using a key in a public
certificate. When I looked at the certificate in keytool I really
couldn’t figure out what the “identity” or “name”
was that I should use. It contained a very long “belongs to”
field, Issued by, Serial Number, Type of Key (RSA/1024), Fingerprint, and a few
other things. I assume I need to supply an ID in the encryptionUser
parameter. So, I decided to attach a “label” using keyman to this
certificate, called “whatever”. So my key parameters are:
<parameter
name="encryptionKeyIdentifier" value="X509KeyIdentifier"/> <parameter
name="encryptionUser" value="whatever"/> I’ve also tried different values for
“encryptionKeyIdentifier”. When I run this I get: - Initializing JAX-RPC handler
org.apache.axis.message.addressing.handler.AxisClientSideAddressingHandler... - Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin] unknown attr1.2.840.113549.1.9.22 unknown attr1.2.840.113549.1.9.22 unknown attr1.2.840.113549.1.9.22 {http://xml.apache.org/axis/}stackTrace:WSDoAllSender: Encryption:
error during message processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for Encryption) It appears to be happening on the line:
X509Certificate[] certs = crypto.getCertificates(user); where user = “whatever” and certs comes back with nothing. So it appears I can’t seem to get a reference to this
certificate. Are the parameters set up correctly? Is there something somebody
could suggest? I have gotten this to work with a certificate and alias in
a JKS formatted keystore, but I’ve got other problems getting stuff in
and out of that keystore. Any help will be much appreciated, If you’ve gotten this far, maybe somebody could confirm the
following. When signing with a private key, and the private key has no password
associated with it, I get a callback for a password in my callback class but I am
expected to return something or I get an exception for a null password.
So I figured I’d send back the password of the keystore (not the key),
and that worked. Interesting, since the keystore password had already
been supplied in the properties file. So is the rule, when in doubt and
you have no password on a key or certificate, pass back the keystore password? thanks again. |
