Hi Werner
i have tried doing it programmatically and here is my code (i do
encryption and decryption on the client side)
package wssecurity;
import org.apache.axis.Message;
import org.apache.axis.MessageContext;
import org.apache.axis.client.AxisClient;
import org.apache.axis.configuration.NullProvider;
import org.apache.axis.message.SOAPEnvelope;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.message.WSSignEnvelope;
import org.apache.ws.security.message.WSEncryptBody;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSConstants;
import org.w3c.dom.Document;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Vector;
import javax.xml.soap.MessageFactory;
import javax.xml.soap.SOAPMessage;
import javax.xml.transform.dom.DOMSource;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.xml.security.c14n.Canonicalizer;
public class WSSecuritySample
{
private static final String soapMsg =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<SOAP-ENV:Envelope" +
" xmlns:SOAP-ENV=\"http://www.w3.org/2003/05/soap-envelope\"\n"; +
" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n"; +
" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\";>" +
" <SOAP-ENV:Body>" +
" <sayHello
xmlns=\"http://jeffhanson.com/services/helloworld\";>" +
" <value xmlns=\"\">Hello world!</value>" +
" </sayHello>" +
" </SOAP-ENV:Body>" +
"</SOAP-ENV:Envelope>";
private static final WSSecurityEngine secEngine = new WSSecurityEngine();
private static final Crypto crypto = CryptoFactory.getInstance();
private AxisClient engine = null;
private MessageContext msgContext = null;
public static void main(String[] args)
{
try
{
WSSecuritySample app = new WSSecuritySample();
Message axisMessage = app.getAxisMessage(soapMsg);
SOAPEnvelope unsignedEnvelope = axisMessage.getSOAPEnvelope();
Message Msg =
app.encryptSOAPEnvelope(unsignedEnvelope);
app.verify(Msg);
}
catch (Exception e)
{
e.printStackTrace();
}
}
public WSSecuritySample()
{
engine = new AxisClient(new NullProvider());
msgContext = new MessageContext(engine);
}
private Message getAxisMessage(String unsignedEnvelope)
{
InputStream inStream =
new ByteArrayInputStream(unsignedEnvelope.getBytes());
Message axisMessage = new Message(inStream);
axisMessage.setMessageContext(msgContext);
return axisMessage;
}
public Message signSOAPEnvelope(SOAPEnvelope unsignedEnvelope)
throws Exception
{
WSSignEnvelope signer = new WSSignEnvelope(" ");
String alias = "client";
String password = "security";
signer.setUserInfo(alias, password);
Document doc = unsignedEnvelope.getAsDocument();
Document signedDoc = signer.build(doc, crypto);
Message signedSOAPMsg =
(org.apache.axis.Message)toSOAPMessage(signedDoc);
return signedSOAPMsg;
}
public Message encryptSOAPEnvelope(SOAPEnvelope unsignedEnvelope)
throws Exception
{
WSEncryptBody encrypt = new WSEncryptBody();
String alias = "client";
String password = "security";
encrypt.setUserInfo(alias, password);
Document doc = unsignedEnvelope.getAsDocument();
Document encryptedDoc = encrypt.build(doc, crypto);
Message encryptedSOAPMsg = (Message)toSOAPMessage(encryptedDoc);
return encryptedSOAPMsg;
}
public Message signEncryptSOAPEnvelope(SOAPEnvelope unsignedEnvelope,
String alias_sign, String password_sign, String alias_enc, String
password_enc) throws Exception
{
Document doc = unsignedEnvelope.getAsDocument();
WSSignEnvelope signer = new WSSignEnvelope();
signer.setUserInfo(alias_sign, password_sign);
signer.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
Document signedDoc = signer.build(doc, crypto);
WSEncryptBody encrypt = new WSEncryptBody("client");
encrypt.setUserInfo(alias_enc, password_enc);
Document encryptedDoc = encrypt.build(signedDoc, crypto);
Message encryptedMsg = (Message)toSOAPMessage(encryptedDoc);
return encryptedMsg;
}
public boolean verify(Message responseEnvelope) throws Exception
{
WSSecurityEngine secEngine = WSSecurityEngine.getInstance();
PWCallback cb = new PWCallback();
Document doc = responseEnvelope.getSOAPEnvelope().getAsDocument();
Vector results= secEngine.processSecurityHeader(doc, null, cb,
crypto, crypto);
updateSOAPMessage(doc, responseEnvelope);
for (int i = 0; i < results.size(); i++) {
WSHandlerResult hResult = (WSHandlerResult)results.get(i);
String actor = hResult.getActor();
Vector hResults = hResult.getResults();
for (int j = 0; j < hResults.size(); j++) {
WSSecurityEngineResult eResult =
(WSSecurityEngineResult)hResults.get(j);
if (eResult.getAction() != WSConstants.ENCR) {
System.out.println(eResult.getPrincipal().getName());
}
}
}
return true;
}
public static SOAPMessage toSOAPMessage(Document doc) throws Exception {
Canonicalizer c14n =
Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
MessageFactory factory = MessageFactory.newInstance();
return factory.createMessage(null, in);
}
public static SOAPMessage updateSOAPMessage(Document doc, SOAPMessage
message) throws Exception {
DOMSource domSource = new DOMSource(doc);
message.getSOAPPart().setContent(domSource);
return message;
}
}
when i run it i have always the error
java.lang.ClassCastException: org.apache.ws.security.WSSecurityEngineResult
at wssecurity.WSSecuritySample.verify(WSSecuritySample.java:131)
at wssecurity.WSSecuritySample.main(WSSecuritySample.java:55)
at the line WSHandlerResult hResult =
(WSHandlerResult)results.get(i);
so i cannot obtain the message decrypted.
I use wss4j 1_1_0
jdk 1.5
what i do wrong ?
p.s. i have also strange situations on the signature side: i need to put
a value to actor (new WSSignEnvelope(" ");) otherwise i have always
signature verification failure.
best regards
Alessandro
Dittmann, Werner ha scritto:
To do it programmatically on the server side you use
the WSSecurityEngine. Feed the SOAP message (as document)
and the relevant parameters into one of the process*()
methods and when it returns the document (SOAP envelope)
is decrypted and verified (if it contains a Signature).
The return data contains information about the processed
contents.
Regards,
Werner
-----Ursprüngliche Nachricht-----
Von: Alessandro Gilardoni [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 10. Februar 2006 08:17
An: Emanuel Haisiuc
Cc: [email protected]
Betreff: Re: Exception: General security error (Unexpected
number of X509Data: for Signature)
Thanks Emanuel,
is there anone that have done signature and encryption
programmatically
verifying succesfully on the server side ?
is there a possibility to decrypt a soapmessage programmatically ? i
found many errors, but probably i don't do the right way.
best regards.
Alessandro
Emanuel Haisiuc ha scritto:
Hi Alessandro,
I'm sorry, but I cannot answer to your question. I'm new to wss4j
(about a week) and I'm trying now to do something
programatically. All
I've managed to do is to set the parameter's through the wsdd
configuration files, and make it work.
I hope someone with more experience will read this thread
and answer to you.
Regards,
Emanuel
On 2/9/06, Alessandro Gilardoni <[EMAIL PROTECTED]> wrote:
Hi Emanuel,
i'm trying to sign a message (programmatically with 2ss4j)
and to send
to a server that must verify it with wss4j.
I sign the message programmatically while the server is
deployed with a
deployment descriptor. I always have a signature
verification fault.
To sign the message and verify it on the client side i
need to set up
the actor (WSSignEnvelope builder = new
WSSignEnvelope("some sort of
actor"); ) otherwise the verification fails also on the client side
if i do on the client side:
Document doc =
unsignedEnvelope.getSOAPEnvelope().getAsDocument();
WSSignEnvelope builder = new
WSSignEnvelope();
builder.setUserInfo(privateKeyAlias,
privateKeyPass);
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE)
; // This
does embed the certificate.
Document signedDoc =
builder.build(doc, crypto);
Message signedMsg = (Message)
SOAPUtil.toSOAPMessage(signedDoc);
Document Doc1 =
signedMsg.getSOAPEnvelope().getAsDocument();
verify(Doc1);
i have a signature verification fault, but if a put an actor
(WSSignEnvelope builder = new WSSignEnvelope("client");)
the signature
verification it's ok .....but not on the server side....
any hints ?
sorry to send a very long e-mail but no one answer to my
previous emails...
best regards.
last question: it's possible to decrypt a soapmessage
programmatically ?
HOW ?
Alessandro
Emanuel Haisiuc ha scritto:
I've managed to get it working by setting the user
parameter in the
wsdd file to match the alias of the searched certificate in the
keystore. In the PWCallback class I'm setting the
password for that
certificate. And it works fine :)
Emanuel
On 2/8/06, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
I think the answer may depend on how you are using Axis/WSS4J.
I'm not using any config files, and doing everything in a
handler. Here's an example of my code, but I'm no
expert so this
could be a really bad (but working) example ;-)
You can see I set the cert alias and password both in my
Properties object for the Crypto, and via the
WSSignEnvelope.setKeyIdentifier() method. Not sure if this is
necessary or the best way, but it works for me. I
haven't made
time for "code cleanup" yet.
[...snip...]
Message requestMessage =
msgContext.getRequestMessage();
SOAPEnvelope unsignedEnvelope =
requestMessage.getSOAPEnvelope();
Document doc =
unsignedEnvelope.getAsDocument ();
// WSS4J Start
---------------------------------------------
/*
* Instantiate Crypto for WSS4J via
dynamic methods. Domino agents
* can't see file resources,
plus we need
to compute the keystore
* location anyway.
*/
String cryptoClassName = "
org.apache.ws.security.components.crypto.BouncyCastle"; //
"org.apache.ws.security.components.crypto.Merlin"
Properties properties = new
Properties();
properties.put("org.apache.ws.security.crypto.provider",
cryptoClassName);
properties.put("org.apache.ws.security.crypto.merlin.keystore.type",
keystoreType);
properties.put("org.apache.ws.security.crypto.merlin.keystore.password
", keystorePass);
properties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
privateKeyAlias);
properties.put("org.apache.ws.security.crypto.merlin.alias.password",
privateKeyPass);
properties.put("org.apache.ws.security.crypto.merlin.file ",
keystoreFile);
Crypto crypto =
CryptoFactory.getInstance(cryptoClassName, properties);
WSSignEnvelope builder = new
WSSignEnvelope();
builder.setUserInfo(privateKeyAlias,
privateKeyPass);
// builder.setKeyIdentifierType
(WSConstants.ISSUER_SERIAL); // Doesn't embed the certificate.
builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); //
This does embed the certificate.
WSSAddUsernameToken
usernameToken = new
WSSAddUsernameToken();
builder.setUsernameToken
(usernameToken);
Document signedDoc =
builder.build(doc,
crypto);
/*
* Convert the resulting
document into a
message first. The
* toSOAPMessage() method performs the
necessary c14n call to
* properly set up the signed
document and
convert it into a SOAP
* message.
*/
Message signedMsg = (Message)
SOAPUtil.toSOAPMessage(signedDoc);
if ( logger.isDebugEnabled()) {
logger.debug("Signed
message:");
XMLUtils.PrettyElementToWriter(signedMsg.getSOAPEnvelope().getAsDOM(),
new PrintWriter(System.out));
}
/*
* Extract as a document again if need
further processing. signedDoc =
* signedMsg.getSOAPEnvelope
().getAsDocument();
*/
/*
* Set signed message as
current message.
*/
msgContext.setCurrentMessage(signedMsg);
// WSS4J End
---------------------------------------------
[...snip...]
*Emanuel Haisiuc <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>*
02/08/2006 11:31 AM
To
"[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>" <
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>,
[email protected] <mailto:[email protected]>
cc
Subject
Re: Exception: General security error (Unexpected number of
X509Data: for Signature)
I have the same sense about this one.
My question is: how do I indicate to the client which
key to use
from the keystore?
Is the "user" parameter from the handler in the client's
configuration wsdd file used to identify the certificate to be
used from the keystore?
Hope my questins make sense.
Thank you!
Emanuel
On 2/8/06, [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
< [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
When I got that error, it was because the machine I
was running on
didn't have the certificate in the keystore. In your
case that
would be the cert " ehpubcert".
*Emanuel Haisiuc <* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>*>*
02/08/2006 10:24 AM
To
[EMAIL PROTECTED] <mailto:[email protected]>
cc
Subject
Exception: General security error (Unexpected
number of X509Data:
for Signature)
Hi!
I'm getting this exception when trying to run my client:
08.02.2006 18:16:30
org.apache.ws.security.components.crypto.CryptoFactory loadClass
INFO: Using Crypto Engine [
org.apache.ws.security.components.crypto.Merlin]
Unable to make the call to method: WSHandler:
Signature: error during
message procesingorg.apache.ws.security.WSSecurity
Exception: General security error (Unexpected number
of X509Data:
for Signature)
My cliend's wsdd file is:
<deployment xmlns=" _http://xml.apache.org/axis/wsdd/_";
xmlns:java="
_http://xml.apache.org/axis/wsdd/providers/java_";>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender " />
<globalConfiguration>
<requestFlow>
<handler
type="java: org.apache.ws.axis.security.WSDoAllSender ">
<parameter name="action" value="Signature" />
<parameter name="signaturePropFile" value="
cx509sign.props" />
<parameter name="signatureKeyIdentifier"
value="DirectReference" />
<parameter name="passwordCallbackClass"
value="javawsx509signingclient.PWCallback" />
<parameter name="user" value="manu" />
</handler>
</requestFlow>
</globalConfiguration>
</deployment>
where cx509sign.props is:
org.apache.ws.security.crypto.provider=org.apache.ws.security.
components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=foobar
org.apache.ws.security.crypto.merlin.keystore.alias=ehpubcert
org.apache.ws.security.crypto.merlin.alias.password=foobar
org.apache.ws.security.crypto.merlin.file=c:/publicks/pubkeystore
Pubkeystore listing is:
C:\publicks>keytool -list -keystore pubkeystore
Enter keystore password: foobar
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
ehpubcert, 08.02.2006, keyEntry,
Certificate fingerprint (MD5):
5E:87:4F:3A:48:78:4C:33:1A:03:F9:7C:2E:DE:98:81
What should I look for and what, to make it work?
Thank you!
Emanuel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
[EMAIL PROTECTED] _
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
----------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.3/254 - Release
Date: 08/02/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
