I was actually just looking at this code in CXF. This might help:
// Extract the signature action result from the action vector
WSSecurityEngineResult actionResult = WSSecurityUtil
.fetchActionResult(wsResult, WSConstants.SIGN);
if (actionResult != null) {
X509Certificate returnCert = (X509Certificate)actionResult
.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (returnCert != null && !verifyTrust(returnCert, reqData)) {
LOG.warning("The certificate used for the signature is not
trusted");
throw new
WSSecurityException(WSSecurityException.FAILED_CHECK);
}
msg.put(SIGNATURE_RESULT, actionResult);
}
The verifyTrust method is on the WSHandler in WSS4J.
Dan
On Fri March 13 2009 9:56:13 am Benjamin Baril wrote:
> Good morning,
>
> I am adding signature validation to some home grown web services (not using
> Axis or any other framework) and have come across WSS4J as a great API for
> doing so.
>
> I am currently attempting to ensure that all soap requests are digitally
> signed with a certificate that has been trusted by my organization. Here is
> the following code I have:
>
> try {
> WSSecurityEngine secEngine = WSSecurityEngine.getInstance();
> Crypto crypto = CryptoFactory.getInstance("crypto.properties");
> CallbackHandler cb = new SignedRequestHandler();
> Vector results = secEngine.processSecurityHeader(doc, null, new
> WSSCallbackHandler(), crypto);
>
> // No results means it is not signed!
> if( results == null || results.size() == 0) {
> System.out.println("No results, fail");
> } else {
> for (int i = 0; i < results.size(); i++) {
> WSSecurityEngineResult eResult =
> (WSSecurityEngineResult)results.get(i);
> if (
> ((Integer)eResult.get(WSSecurityEngineResult.TAG_ACTION)).intValue() !=
> WSConstants.ENCR) {
> Principal princ =
> (Principal)eResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> if( princ != null ) {
> System.out.println(princ.getName());
>
> }
> }
> }
> }
> } catch (WSSecurityException e) {
> e.printStackTrace();
> }
>
> public class WSSCallbackHandler implements CallbackHandler
> {
> public void handle( Callback[] callbacks ) throws IOException,
> UnsupportedCallbackException
> {
> for( Callback callback : callbacks )
> {
> if( callback instanceof WSPasswordCallback )
> {
> WSPasswordCallback cb = ( WSPasswordCallback ) callback;
> cb.setPassword( "pegasys1+" );
> }
> }
> }
> }
>
> Now, what I am expecting with this code, is that if I sign the message with
> a valid/trusted cert that it passes no problem. Otherwise I should be
> getting a WSSecurityException complaining. However right now tha tisn't
> happening.
>
> My crypto file points to my trust anchor (a jks file which has a public key
> in it, but it isn't the public key that was derived from the private key I
> used to sign the message). I signed the message with a self-signed x509 v3
> certificate.
>
> Any help is greatly appreciate,
> Benjamin Baril
--
Daniel Kulp
[email protected]
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
