Thanks Emanuel,
is there anone that have done signature and encryption programmatically
verifying succesfully on the server side ?
is there a possibility to decrypt a soapmessage programmatically ? i
found many errors, but probably i don't do the right way.
best regards.
Alessandro
Emanuel Haisiuc ha scritto:
Hi Alessandro,
I'm sorry, but I cannot answer to your question. I'm new to wss4j
(about a week) and I'm trying now to do something programatically. All
I've managed to do is to set the parameter's through the wsdd
configuration files, and make it work.
I hope someone with more experience will read this thread and answer to you.
Regards,
Emanuel
On 2/9/06, Alessandro Gilardoni <[EMAIL PROTECTED]> wrote:
Hi Emanuel,
i'm trying to sign a message (programmatically with 2ss4j) and to send
to a server that must verify it with wss4j.
I sign the message programmatically while the server is deployed with a
deployment descriptor. I always have a signature verification fault.
To sign the message and verify it on the client side i need to set up
the actor (WSSignEnvelope builder = new WSSignEnvelope("some sort of
actor"); ) otherwise the verification fails also on the client side
if i do on the client side:
Document doc =
unsignedEnvelope.getSOAPEnvelope().getAsDocument();
WSSignEnvelope builder = new WSSignEnvelope();
builder.setUserInfo(privateKeyAlias,
privateKeyPass);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // This
does embed the certificate.
Document signedDoc = builder.build(doc, crypto);
Message signedMsg = (Message)
SOAPUtil.toSOAPMessage(signedDoc);
Document Doc1 =
signedMsg.getSOAPEnvelope().getAsDocument();
verify(Doc1);
i have a signature verification fault, but if a put an actor
(WSSignEnvelope builder = new WSSignEnvelope("client");) the signature
verification it's ok .....but not on the server side....
any hints ?
sorry to send a very long e-mail but no one answer to my previous emails...
best regards.
last question: it's possible to decrypt a soapmessage programmatically ?
HOW ?
Alessandro
Emanuel Haisiuc ha scritto:
I've managed to get it working by setting the user parameter in the
wsdd file to match the alias of the searched certificate in the
keystore. In the PWCallback class I'm setting the password for that
certificate. And it works fine :)
Emanuel
On 2/8/06, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
I think the answer may depend on how you are using Axis/WSS4J.
I'm not using any config files, and doing everything in a
handler. Here's an example of my code, but I'm no expert so this
could be a really bad (but working) example ;-)
You can see I set the cert alias and password both in my
Properties object for the Crypto, and via the
WSSignEnvelope.setKeyIdentifier() method. Not sure if this is
necessary or the best way, but it works for me. I haven't made
time for "code cleanup" yet.
[...snip...]
Message requestMessage =
msgContext.getRequestMessage();
SOAPEnvelope unsignedEnvelope =
requestMessage.getSOAPEnvelope();
Document doc =
unsignedEnvelope.getAsDocument ();
// WSS4J Start
---------------------------------------------
/*
* Instantiate Crypto for WSS4J via
dynamic methods. Domino agents
* can't see file resources, plus we need
to compute the keystore
* location anyway.
*/
String cryptoClassName = "
org.apache.ws.security.components.crypto.BouncyCastle"; //
"org.apache.ws.security.components.crypto.Merlin"
Properties properties = new Properties();
properties.put("org.apache.ws.security.crypto.provider",
cryptoClassName);
properties.put("org.apache.ws.security.crypto.merlin.keystore.type",
keystoreType);
properties.put("org.apache.ws.security.crypto.merlin.keystore.password
", keystorePass);
properties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
privateKeyAlias);
properties.put("org.apache.ws.security.crypto.merlin.alias.password",
privateKeyPass);
properties.put("org.apache.ws.security.crypto.merlin.file ",
keystoreFile);
Crypto crypto =
CryptoFactory.getInstance(cryptoClassName, properties);
WSSignEnvelope builder = new
WSSignEnvelope();
builder.setUserInfo(privateKeyAlias,
privateKeyPass);
// builder.setKeyIdentifierType
(WSConstants.ISSUER_SERIAL); // Doesn't embed the certificate.
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); //
This does embed the certificate.
WSSAddUsernameToken usernameToken = new
WSSAddUsernameToken();
builder.setUsernameToken (usernameToken);
Document signedDoc = builder.build(doc,
crypto);
/*
* Convert the resulting document into a
message first. The
* toSOAPMessage() method performs the
necessary c14n call to
* properly set up the signed document and
convert it into a SOAP
* message.
*/
Message signedMsg = (Message)
SOAPUtil.toSOAPMessage(signedDoc);
if ( logger.isDebugEnabled()) {
logger.debug("Signed message:");
XMLUtils.PrettyElementToWriter(signedMsg.getSOAPEnvelope().getAsDOM(),
new PrintWriter(System.out));
}
/*
* Extract as a document again if need
further processing. signedDoc =
* signedMsg.getSOAPEnvelope
().getAsDocument();
*/
/*
* Set signed message as current message.
*/
msgContext.setCurrentMessage(signedMsg);
// WSS4J End
---------------------------------------------
[...snip...]
*Emanuel Haisiuc <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>*
02/08/2006 11:31 AM
To
"[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>" <
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>,
[email protected] <mailto:[email protected]>
cc
Subject
Re: Exception: General security error (Unexpected number of
X509Data: for Signature)
I have the same sense about this one.
My question is: how do I indicate to the client which key to use
from the keystore?
Is the "user" parameter from the handler in the client's
configuration wsdd file used to identify the certificate to be
used from the keystore?
Hope my questins make sense.
Thank you!
Emanuel
On 2/8/06, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
< [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
When I got that error, it was because the machine I was running on
didn't have the certificate in the keystore. In your case that
would be the cert " ehpubcert".
*Emanuel Haisiuc <* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>*>*
02/08/2006 10:24 AM
To
[EMAIL PROTECTED] <mailto:[email protected]>
cc
Subject
Exception: General security error (Unexpected number of X509Data:
for Signature)
Hi!
I'm getting this exception when trying to run my client:
08.02.2006 18:16:30
org.apache.ws.security.components.crypto.CryptoFactory loadClass
INFO: Using Crypto Engine [
org.apache.ws.security.components.crypto.Merlin]
Unable to make the call to method: WSHandler: Signature: error during
message procesingorg.apache.ws.security.WSSecurity
Exception: General security error (Unexpected number of X509Data:
for Signature)
My cliend's wsdd file is:
<deployment xmlns=" _http://xml.apache.org/axis/wsdd/_";
xmlns:java=" _http://xml.apache.org/axis/wsdd/providers/java_";>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender " />
<globalConfiguration>
<requestFlow>
<handler
type="java: org.apache.ws.axis.security.WSDoAllSender ">
<parameter name="action" value="Signature" />
<parameter name="signaturePropFile" value=" cx509sign.props" />
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="passwordCallbackClass"
value="javawsx509signingclient.PWCallback" />
<parameter name="user" value="manu" />
</handler>
</requestFlow>
</globalConfiguration>
</deployment>
where cx509sign.props is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=foobar
org.apache.ws.security.crypto.merlin.keystore.alias=ehpubcert
org.apache.ws.security.crypto.merlin.alias.password=foobar
org.apache.ws.security.crypto.merlin.file=c:/publicks/pubkeystore
Pubkeystore listing is:
C:\publicks>keytool -list -keystore pubkeystore
Enter keystore password: foobar
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
ehpubcert, 08.02.2006, keyEntry,
Certificate fingerprint (MD5):
5E:87:4F:3A:48:78:4C:33:1A:03:F9:7C:2E:DE:98:81
What should I look for and what, to make it work?
Thank you!
Emanuel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: [EMAIL PROTECTED] _
<mailto:[EMAIL PROTECTED]>
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.3/254 - Release Date: 08/02/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
