maybe this is just my lack of crypto knowledge showing, but i'm still not clear on how the server verifies the signature the client put on its message. as i (sorta) understand things (from http://www.devx.com/Java/Article/28816/0/ ), you 1. generate 2 keys (any particular -keyalg, -keysize, -sigalg, -storetype or will any valid ones work?) keytool -genkey -alias AL-private -keystore al-pvt.key keytool -genkey -alias AL-public -keystore al-pub.key
2. self-sign the keys keytool -selfcert -alias AL-private -keystore al-pvt.key keytool -selfcert -alias AL-public -keystore al-pub.key 3. generate a certificate keytool -export -keystore al-pub.key -alias AL-public -file AL.cert 4. import the certificate into the private keystore keytool -import -alias AL-public -file AL.cert -keystore AL-pvt.key 5. create a crypto.properties file (note, alias and password now not used according this archived email - http://66.102.7.104/search?q=cache:UcxnQ8nN4_AJ:archives.devshed.com/a/ml/200409-844703/AW-AW-Problem-with-Signatures-Unexpected-number-of-X509Data-f+Unexpected+number+of+X509Data:+for+Signature&hl=en ) org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=<whatever you used in step 1> org.apache.ws.security.crypto.merlin.keystore.password=<whatever you used in step 1> org.apache.ws.security.crypto.merlin.file=??? now, the file is unclear - is that the cert, the public key file, or the private key file? if it's the public key then, given what i think is meant by "public" and "private" key, anybody could sign this message. so my guess is it's the private key file or the cert file (tho the client doesn't need its public key so that also makes little sense), so we'll assume org.apache.ws.security.crypto.merlin.file=AL-pvt.key 6. create a client-config.wsdd file that contains at least: <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/> <globalConfiguration> <requestFlow> <!-- add the header that adds the signature --> <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> <parameter name="action" value="Signature"/> <parameter name="user" value="AL-private"/> <parameter name="passwordCallbackClass" value="com.example.GimmeALsPassword"/> <parameter name="signaturePropFile" value="crypto.properties" /> </handler> </requestFlow> </globalConfiguration> </deployment> 7. write a class, com.example.GimmeALsPassword: public class UserIdPWCallback implements javax.security.auth.callback.CallbackHandler { public void handle(javax.security.auth.callback.Callback[] callbacks) throws java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException { for (int x = 0; x < callbacks.length; ++x) { try { org.apache.ws.security.WSPasswordCallback callback; callback = (org.apache.ws.security.WSPasswordCallback)callbacks[x]; String id = callback.getIdentifer(); if ("AL-private".equals(id)) { callback.setPassword("whatever you used in step 1"); } } catch (ClassCastException ccx) { throw new UnsupportedCallbackException(callbacks[x], "Unrecognized Callback"); } } } } 8. package up the callback, the client-config.wsdd, the private key file, your client classes (if any), and ship those to the client. 9. and then... what goes on the server? the public key, the cert, or the private key? the private key makes no sense - only the client is supposed to have the private key. the cert is supposed to join the public and private keys, yes? but then how do you write your server-config.wsdd to use it? is the user name AL-private? so confusing... :-/ help. please. once i get this all figured out i'll write a wiki page and put it somewhere around http://wiki.apache.org/ws/RonReynolds (tho first i have to figure out how to create a wiki page other than my own...) so, when's "WSS4J For Smarties And Dummies" coming out? :) ................ron. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
