Basic Question: Keystore Setup

Wed, 09 Aug 2006 03:30:05 -0700

Hi,

Sorry if this is the wrong place to post a newbie question regarding the setup of WSS4J - please direct me to a users list rather than dev list if one exists.

I'd like to use WSS4J to sign and encrypt POX messages, I'm not using Axis or SOAP. So I'm just getting into WSS4J and am trying to setup a keystore as required by crypto.properties. I've used the procedure at the end of the email to create a jks keystore, as this is the procedure I use to create a working keystore for Tomcat (I guess it's the same procedure...)

Then, I've written a simple app to sign a static xml string, that goes something like this:

// setup
Crypto crypto = CryptoFactory.getInstance();
Document doc = ...

// sign document
WSSecSignature wsSecSignature = new WSSecSignature();
Document signed = wsSecSignature.build(doc, crypto, new WSSecHeader());

When I run this, I get the following exception:

Exception in thread "main" java.lang.NullPointerException
    at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:40)
    at sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:135)
    at java.security.KeyStore.getCertificateChain(KeyStore.java:756)
    at org.apache.ws.security.components.crypto.AbstractCrypto.getCertificates (AbstractCrypto.java:407)
    at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:272)
    at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:643)
    at test.Test.main (Test.java:xxx)

The NullPointerException when trying to 'convertAlias' seems to imply there's something wrong with the keystore. The alias in the keystore and the crypto.properties file match, so I'm stumped.

I'm very grateful of any help/advice you can offer. If this is a stupid/basic question then I appologise in advance.

Thanks,

Ed.

====================

Keystore procedure:

1) From a .pem format key, cert and CA cert, create the keystore:

openssl pkcs12 -export -in cert.pem -inkey key.pem \\
     -out store.p12 -name myAlias -CAfile cacrt.pem -caname root -chain

2) Convert the .p12 keystore to .jks format using:

org.mortbay.util.PKCS12Import store.p12 store.jks

3) Add the CA cert as a trusted CA cert.

keytool -import -trustcacerts -alias "CA Cert" -file cacrt.pem -keystore store.jks

Reply via email to