To do it programmatically on the server side you use the WSSecurityEngine. Feed the SOAP message (as document) and the relevant parameters into one of the process*() methods and when it returns the document (SOAP envelope) is decrypted and verified (if it contains a Signature). The return data contains information about the processed contents.
Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Alessandro Gilardoni [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 10. Februar 2006 08:17 > An: Emanuel Haisiuc > Cc: [email protected] > Betreff: Re: Exception: General security error (Unexpected > number of X509Data: for Signature) > > Thanks Emanuel, > is there anone that have done signature and encryption > programmatically > verifying succesfully on the server side ? > is there a possibility to decrypt a soapmessage programmatically ? i > found many errors, but probably i don't do the right way. > best regards. > Alessandro > > > Emanuel Haisiuc ha scritto: > > Hi Alessandro, > > > > I'm sorry, but I cannot answer to your question. I'm new to wss4j > > (about a week) and I'm trying now to do something > programatically. All > > I've managed to do is to set the parameter's through the wsdd > > configuration files, and make it work. > > > > I hope someone with more experience will read this thread > and answer to you. > > > > Regards, > > Emanuel > > > > On 2/9/06, Alessandro Gilardoni <[EMAIL PROTECTED]> wrote: > > > >> Hi Emanuel, > >> i'm trying to sign a message (programmatically with 2ss4j) > and to send > >> to a server that must verify it with wss4j. > >> I sign the message programmatically while the server is > deployed with a > >> deployment descriptor. I always have a signature > verification fault. > >> To sign the message and verify it on the client side i > need to set up > >> the actor (WSSignEnvelope builder = new > WSSignEnvelope("some sort of > >> actor"); ) otherwise the verification fails also on the client side > >> if i do on the client side: > >> > >> Document doc = > >> unsignedEnvelope.getSOAPEnvelope().getAsDocument(); > >> WSSignEnvelope builder = new > WSSignEnvelope(); > >> builder.setUserInfo(privateKeyAlias, > >> privateKeyPass); > >> > >> > builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE) > ; // This > >> does embed the certificate. > >> Document signedDoc = > builder.build(doc, crypto); > >> Message signedMsg = (Message) > >> SOAPUtil.toSOAPMessage(signedDoc); > >> Document Doc1 = > >> signedMsg.getSOAPEnvelope().getAsDocument(); > >> verify(Doc1); > >> > >> i have a signature verification fault, but if a put an actor > >> (WSSignEnvelope builder = new WSSignEnvelope("client");) > the signature > >> verification it's ok .....but not on the server side.... > >> any hints ? > >> sorry to send a very long e-mail but no one answer to my > previous emails... > >> best regards. > >> last question: it's possible to decrypt a soapmessage > programmatically ? > >> HOW ? > >> > >> > >> Alessandro > >> > >> > >> > >> > >> > >> Emanuel Haisiuc ha scritto: > >> > >>> I've managed to get it working by setting the user > parameter in the > >>> wsdd file to match the alias of the searched certificate in the > >>> keystore. In the PWCallback class I'm setting the > password for that > >>> certificate. And it works fine :) > >>> > >>> Emanuel > >>> > >>> > >>> > >>> On 2/8/06, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>* > >>> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > >>> > >>> > >>> I think the answer may depend on how you are using Axis/WSS4J. > >>> I'm not using any config files, and doing everything in a > >>> handler. Here's an example of my code, but I'm no > expert so this > >>> could be a really bad (but working) example ;-) > >>> > >>> You can see I set the cert alias and password both in my > >>> Properties object for the Crypto, and via the > >>> WSSignEnvelope.setKeyIdentifier() method. Not sure if this is > >>> necessary or the best way, but it works for me. I > haven't made > >>> time for "code cleanup" yet. > >>> > >>> [...snip...] > >>> Message requestMessage = > >>> msgContext.getRequestMessage(); > >>> SOAPEnvelope unsignedEnvelope = > >>> requestMessage.getSOAPEnvelope(); > >>> Document doc = > >>> unsignedEnvelope.getAsDocument (); > >>> > >>> // WSS4J Start > >>> --------------------------------------------- > >>> > >>> /* > >>> * Instantiate Crypto for WSS4J via > >>> dynamic methods. Domino agents > >>> * can't see file resources, > plus we need > >>> to compute the keystore > >>> * location anyway. > >>> */ > >>> String cryptoClassName = " > >>> org.apache.ws.security.components.crypto.BouncyCastle"; // > >>> "org.apache.ws.security.components.crypto.Merlin" > >>> Properties properties = new > Properties(); > >>> > >>> properties.put("org.apache.ws.security.crypto.provider", > >>> cryptoClassName); > >>> > >>> > properties.put("org.apache.ws.security.crypto.merlin.keystore.type", > >>> keystoreType); > >>> > >>> > properties.put("org.apache.ws.security.crypto.merlin.keystore.password > >>> ", keystorePass); > >>> > >>> > properties.put("org.apache.ws.security.crypto.merlin.keystore.alias", > >>> privateKeyAlias); > >>> > >>> > properties.put("org.apache.ws.security.crypto.merlin.alias.password", > >>> privateKeyPass); > >>> > >>> properties.put("org.apache.ws.security.crypto.merlin.file ", > >>> keystoreFile); > >>> Crypto crypto = > >>> CryptoFactory.getInstance(cryptoClassName, properties); > >>> > >>> WSSignEnvelope builder = new > >>> WSSignEnvelope(); > >>> builder.setUserInfo(privateKeyAlias, > >>> privateKeyPass); > >>> // builder.setKeyIdentifierType > >>> (WSConstants.ISSUER_SERIAL); // Doesn't embed the certificate. > >>> > >>> > builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); // > >>> This does embed the certificate. > >>> WSSAddUsernameToken > usernameToken = new > >>> WSSAddUsernameToken(); > >>> builder.setUsernameToken > (usernameToken); > >>> Document signedDoc = > builder.build(doc, > >>> crypto); > >>> > >>> /* > >>> * Convert the resulting > document into a > >>> message first. The > >>> * toSOAPMessage() method performs the > >>> necessary c14n call to > >>> * properly set up the signed > document and > >>> convert it into a SOAP > >>> * message. > >>> */ > >>> Message signedMsg = (Message) > >>> SOAPUtil.toSOAPMessage(signedDoc); > >>> if ( logger.isDebugEnabled()) { > >>> logger.debug("Signed > message:"); > >>> > >>> > XMLUtils.PrettyElementToWriter(signedMsg.getSOAPEnvelope().getAsDOM(), > >>> new PrintWriter(System.out)); > >>> } > >>> > >>> /* > >>> * Extract as a document again if need > >>> further processing. signedDoc = > >>> * signedMsg.getSOAPEnvelope > >>> ().getAsDocument(); > >>> */ > >>> > >>> /* > >>> * Set signed message as > current message. > >>> */ > >>> > msgContext.setCurrentMessage(signedMsg); > >>> > >>> // WSS4J End > >>> --------------------------------------------- > >>> [...snip...] > >>> > >>> > >>> > >>> > >>> *Emanuel Haisiuc <[EMAIL PROTECTED] > >>> <mailto:[EMAIL PROTECTED]>>* > >>> > >>> 02/08/2006 11:31 AM > >>> > >>> > >>> To > >>> "[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>" < > >>> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>, > >>> [email protected] <mailto:[email protected]> > >>> cc > >>> > >>> Subject > >>> Re: Exception: General security error (Unexpected number of > >>> X509Data: for Signature) > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> I have the same sense about this one. > >>> > >>> My question is: how do I indicate to the client which > key to use > >>> from the keystore? > >>> > >>> Is the "user" parameter from the handler in the client's > >>> configuration wsdd file used to identify the certificate to be > >>> used from the keystore? > >>> > >>> Hope my questins make sense. > >>> > >>> Thank you! > >>> > >>> Emanuel > >>> > >>> > >>> On 2/8/06, [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > >>> < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > >>> > >>> When I got that error, it was because the machine I > was running on > >>> didn't have the certificate in the keystore. In your > case that > >>> would be the cert " ehpubcert". > >>> > >>> > >>> > >>> *Emanuel Haisiuc <* [EMAIL PROTECTED] > >>> <mailto:[EMAIL PROTECTED]>*>* > >>> > >>> 02/08/2006 10:24 AM > >>> > >>> > >>> To > >>> [EMAIL PROTECTED] <mailto:[email protected]> > >>> cc > >>> > >>> > >>> Subject > >>> Exception: General security error (Unexpected > number of X509Data: > >>> for Signature) > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> Hi! > >>> > >>> I'm getting this exception when trying to run my client: > >>> > >>> 08.02.2006 18:16:30 > >>> > org.apache.ws.security.components.crypto.CryptoFactory loadClass > >>> INFO: Using Crypto Engine [ > >>> org.apache.ws.security.components.crypto.Merlin] > >>> Unable to make the call to method: WSHandler: > Signature: error during > >>> message procesingorg.apache.ws.security.WSSecurity > >>> Exception: General security error (Unexpected number > of X509Data: > >>> for Signature) > >>> > >>> My cliend's wsdd file is: > >>> > >>> <deployment xmlns=" _http://xml.apache.org/axis/wsdd/_"; > >>> xmlns:java=" > _http://xml.apache.org/axis/wsdd/providers/java_";> > >>> <transport name="http" > >>> pivot="java:org.apache.axis.transport.http.HTTPSender " /> > >>> <globalConfiguration> > >>> <requestFlow> > >>> <handler > >>> type="java: org.apache.ws.axis.security.WSDoAllSender "> > >>> > >>> <parameter name="action" value="Signature" /> > >>> > >>> <parameter name="signaturePropFile" value=" > cx509sign.props" /> > >>> > >>> <parameter name="signatureKeyIdentifier" > value="DirectReference" /> > >>> > >>> <parameter name="passwordCallbackClass" > >>> value="javawsx509signingclient.PWCallback" /> > >>> > >>> <parameter name="user" value="manu" /> > >>> </handler> > >>> </requestFlow> > >>> </globalConfiguration> > >>> </deployment> > >>> > >>> where cx509sign.props is: > >>> > >>> > org.apache.ws.security.crypto.provider=org.apache.ws.security. > components.crypto.Merlin > >>> > >>> org.apache.ws.security.crypto.merlin.keystore.type=jks > >>> org.apache.ws.security.crypto.merlin.keystore.password=foobar > >>> org.apache.ws.security.crypto.merlin.keystore.alias=ehpubcert > >>> org.apache.ws.security.crypto.merlin.alias.password=foobar > >>> > org.apache.ws.security.crypto.merlin.file=c:/publicks/pubkeystore > >>> > >>> Pubkeystore listing is: > >>> > >>> C:\publicks>keytool -list -keystore pubkeystore > >>> Enter keystore password: foobar > >>> > >>> Keystore type: jks > >>> Keystore provider: SUN > >>> > >>> Your keystore contains 1 entry > >>> > >>> ehpubcert, 08.02.2006, keyEntry, > >>> Certificate fingerprint (MD5): > >>> 5E:87:4F:3A:48:78:4C:33:1A:03:F9:7C:2E:DE:98:81 > >>> > >>> What should I look for and what, to make it work? > >>> > >>> Thank you! > >>> > >>> Emanuel > >>> > >>> > --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> <mailto:[EMAIL PROTECTED]> > >>> For additional commands, e-mail: > [EMAIL PROTECTED] _ > >>> <mailto:[EMAIL PROTECTED]> > >>> > >>> > >>> > >>> > >>> > -------------------------------------------------------------- > ---------- > >>> > >>> No virus found in this incoming message. > >>> Checked by AVG Free Edition. > >>> Version: 7.1.375 / Virus Database: 267.15.3/254 - Release > Date: 08/02/2006 > >>> > >>> > >> > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
