> you do not need the private to verify the signature. that part certainly makes sense, otherwise it would be symetric crypto, right? but the client passes the certificate along with their message? ah, and that cert is signed by someone trusted by the server and thus the server trusts the client. and in my case i need to create a cert for the server so it can sign all the client's certificates and thus only a client with a certificate signed with the server's cert is accepted by the server... :-?
so every signed SOAP message comes in with the X509 encoded in the header? that seems a little inefficient if the client makes a lot of requests... any way to prepopulate the server with client certs and then only allow those clients in? ah, that's the "some other reference, then you need keystore on the server side" part i would guess. any way on the server side to tell the server not to accept new X509 certificates but only these references? this is reaching the cost point with my simple in-house server that i might just go back to my custom MD5-xor-secretkey idea just to hit my deadline... > Ron > I guess for the the client side you use AL-pvt.key as merlin.file ( I > suggest you use better suffixes, like .jks if you are using JKS, for the > stores). > > On the server side, you may or may not need a keystore - depending on how > you pass the key in the request. If the default behavior of WSDoAllSender is > to put a binary security token, then you do not require a keystore - the > base64 encoded cert will be embedded in the request and the server can use > that to verify signature. > If the binary security token is not included in the request, but some other > reference, then you need keystore on the server side. In that case, you are > better of creating another store and import the AL.cert into it. > > For basics - you do not need the private to verify the signature. > > thanks, > Samrat > > > On 10/20/05, Ron Reynolds <[EMAIL PROTECTED]> wrote: >> >> maybe this is just my lack of crypto knowledge showing, but i'm still not >> clear on how the server verifies the >> signature the client put on its message. as i (sorta) understand things >> (from >> http://www.devx.com/Java/Article/28816/0/ ), you >> 1. generate 2 keys (any particular -keyalg, -keysize, -sigalg, -storetype >> or will any valid ones work?) >> keytool -genkey -alias AL-private -keystore al-pvt.key >> keytool -genkey -alias AL-public -keystore al-pub.key >> >> 2. self-sign the keys >> keytool -selfcert -alias AL-private -keystore al-pvt.key >> keytool -selfcert -alias AL-public -keystore al-pub.key >> >> 3. generate a certificate >> keytool -export -keystore al-pub.key -alias AL-public -file AL.cert >> >> 4. import the certificate into the private keystore >> keytool -import -alias AL-public -file AL.cert -keystore AL-pvt.key >> >> 5. create a crypto.properties file (note, alias and password now not used >> according this archived email - >> >> http://66.102.7.104/search?q=cache:UcxnQ8nN4_AJ:archives.devshed.com/a/ml/200409-844703/AW-AW-Problem-with-Signatures-Unexpected-number-of-X509Data-f+Unexpected+number+of+X509Data:+for+Signature&hl=en >> ) >> >> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >> org.apache.ws.security.crypto.merlin.keystore.type=<whatever you used in >> step 1> >> org.apache.ws.security.crypto.merlin.keystore.password=<whatever you used >> in step 1> >> org.apache.ws.security.crypto.merlin.file=??? >> >> now, the file is unclear - is that the cert, the public key file, or the >> private key file? if it's the public key >> then, given what i think is meant by "public" and "private" key, anybody >> could sign this message. so my guess is it's >> the private key file or the cert file (tho the client doesn't need its >> public key so that also makes little sense), so >> we'll assume >> org.apache.ws.security.crypto.merlin.file=AL-pvt.key >> >> 6. create a client-config.wsdd file that contains at least: >> >> <deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java=" >> http://xml.apache.org/axis/wsdd/providers/java";> >> <transport name="http" pivot="java: >> org.apache.axis.transport.http.HTTPSender"/> >> <globalConfiguration> >> <requestFlow> >> <!-- add the header that adds the signature --> >> <handler type="java:org.apache.ws.axis.security.WSDoAllSender"> >> <parameter name="action" value="Signature"/> >> <parameter name="user" value="AL-private"/> >> <parameter name="passwordCallbackClass" value=" >> com.example.GimmeALsPassword"/> >> <parameter name="signaturePropFile" value="crypto.properties" /> >> </handler> >> </requestFlow> >> </globalConfiguration> >> </deployment> >> >> 7. write a class, com.example.GimmeALsPassword: >> >> public class UserIdPWCallback implements >> javax.security.auth.callback.CallbackHandler { >> public void handle(javax.security.auth.callback.Callback[] callbacks) >> throws java.io.IOException, >> javax.security.auth.callback.UnsupportedCallbackException { >> for (int x = 0; x < callbacks.length; ++x) { >> try { >> org.apache.ws.security.WSPasswordCallback callback; >> callback = (org.apache.ws.security.WSPasswordCallback)callbacks[x]; >> String id = callback.getIdentifer(); >> if ("AL-private".equals(id)) { >> callback.setPassword("whatever you used in step 1"); >> } >> } catch (ClassCastException ccx) { >> throw new UnsupportedCallbackException(callbacks[x], "Unrecognized >> Callback"); >> } >> } >> } >> } >> >> 8. package up the callback, the client-config.wsdd, the private key file, >> your client classes (if any), and ship those >> to the client. >> >> 9. and then... what goes on the server? the public key, the cert, or the >> private key? the private key makes no >> sense - only the client is supposed to have the private key. the cert is >> supposed to join the public and private >> keys, yes? but then how do you write your server-config.wsdd to use it? is >> the user name AL-private? so >> confusing... :-/ >> >> help. please. once i get this all figured out i'll write a wiki page and >> put it somewhere around >> http://wiki.apache.org/ws/RonReynolds (tho first i have to figure out how >> to create a wiki page other than my own...) >> >> so, when's "WSS4J For Smarties And Dummies" coming out? :) >> >> ................ron. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
