Nabble - WSS4J

Re: WS-Security RSA Excrytion exception..

2009-12-15T11:52:02Z

On Tue December 15 2009 2:43:55 pm stevewu wrote:
> Hi Dan
> Is this issue resolved in CXF 2.2.4, as it shipped with wss4j-1.5.8.jar?

I believe so, yea.

Dan

>
> Thanks
> Steve
>
> dkulp wrote:
> > On Wed June 10 2009 5:21:17 pm bharath thippireddy wrote:
> >> I could get the User Token encryption working using BountyCastle.But as
> >> we
> >> cannot use bounty castle
> >
> > Any particular reason why? I'm pretty sure a lot of things WS-Security
> > related won't work with BouncyCastle. The JDK just doesn't have the
> > algorithms that are needed. (although java 6 does have a lot more)
> >
> >> can you please let me know if the exception below
> >> can be fixed with a setting in jdk/jce.When I try a different algorithm
> >> like DES instead of RSA I get a nullpointer exception on the CXF
> >> Client.
> >>
> >>
> >> java.security.NoSuchAlgorithmException: Cannot find any provider
> >> supporting RSA/NONE/PKCS1PADDING
> >
> > I did a little digging and I THINK this particular exception could be
> > fixed
> > with a simple change in WSS4J. If the line:
> >
> > cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");
> >
> > was surrounded with a try/catch that would then try:
> >
> > cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
> >
> > I THINK it would work. Bouncycastle uses "NONE" for the mode whereas
> > the Sun
> > provider uses ECB. Not sure what the Sun setting for
> > "RSA/NONE/OAEPPADDING"
> > is. That would need to be investigated more. It would be one of:
> > OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
> > OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
> > OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
> > but cryptography is definitely not my area.
> >
> > In any case, that would require you to patch WSS4J. If that's an option
> > for
> > you, you could give that a try.
> >
> > To the WSS4j folks: why is this method not calling XMLCipher.getInstance
> > like
> > every other cipher related thing? Should it be? Would that alone fix
> > it?
> >
> >
> > Dan
> >
> >> Jun 10, 2009 5:11:04 PM
> >> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> >> handleMessage
> >>
> >> WARNING:
> >>
> >> org.apache.ws.security.WSSecurityException: An unsupported signature or
> >> encryption algorithm was used (unsupported key t
> >>
> >> ransport encryption algorithm: No such algorithm:
> >> http://www.w3.org/2001/04/xmlenc#rsa-1_5); nested exception is:
> >>
> >> java.security.NoSuchAlgorithmException: Cannot find any provider
> >> supporting RSA/NONE/PKCS1PADDING
> >>
> >> at
> >> org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityU
> >>til .java:690)
> >>
> >> at
> >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
> >>y(E ncryptedKeyProcessor.java:145)
> >>
> >> at
> >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
> >>y(E ncryptedKeyProcessor.java:107)
> >>
> >> at
> >> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encry
> >>pte dKeyProcessor.java:87)
> >>
> >>
> >>
> >> thanks and regards,
> >>
> >> Bharath
>

--
Daniel Kulp
dkulp@...
http://www.dankulp.com/blog

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Re: WS-Security RSA Excrytion exception..

2009-12-15T11:43:54Z

Hi Dan
Is this issue resolved in CXF 2.2.4, as it shipped with wss4j-1.5.8.jar?

Thanks
Steve

dkulp wrote:

On Wed June 10 2009 5:21:17 pm bharath thippireddy wrote:
> I could get the User Token encryption working using BountyCastle.But as we
> cannot use bounty castle

Any particular reason why? I'm pretty sure a lot of things WS-Security
related won't work with BouncyCastle. The JDK just doesn't have the
algorithms that are needed. (although java 6 does have a lot more)

> can you please let me know if the exception below
> can be fixed with a setting in jdk/jce.When I try a different algorithm
> like DES instead of RSA I get a nullpointer exception on the CXF Client.

>
> java.security.NoSuchAlgorithmException: Cannot find any provider
> supporting RSA/NONE/PKCS1PADDING

I did a little digging and I THINK this particular exception could be fixed
with a simple change in WSS4J. If the line:

cipher = Cipher.getInstance("RSA/NONE/PKCS1PADDING");

was surrounded with a try/catch that would then try:

cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");

I THINK it would work. Bouncycastle uses "NONE" for the mode whereas the Sun
provider uses ECB. Not sure what the Sun setting for "RSA/NONE/OAEPPADDING"
is. That would need to be investigated more. It would be one of:
OAEPWITHMD5ANDMGF1PADDING, OAEPWITHSHA1ANDMGF1PADDING,
OAEPWITHSHA-1ANDMGF1PADDING, OAEPWITHSHA-256ANDMGF1PADDING,
OAEPWITHSHA-384ANDMGF1PADDING, OAEPWITHSHA-512ANDMGF1PADDING
but cryptography is definitely not my area.

In any case, that would require you to patch WSS4J. If that's an option for
you, you could give that a try.

To the WSS4j folks: why is this method not calling XMLCipher.getInstance like
every other cipher related thing? Should it be? Would that alone fix it?

Dan

>
>
>
>
> Jun 10, 2009 5:11:04 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
>
> WARNING:
>
> org.apache.ws.security.WSSecurityException: An unsupported signature or
> encryption algorithm was used (unsupported key t
>
> ransport encryption algorithm: No such algorithm:
> http://www.w3.org/2001/04/xmlenc#rsa-1_5); nested exception is:
>
> java.security.NoSuchAlgorithmException: Cannot find any provider
> supporting RSA/NONE/PKCS1PADDING
>
> at
> org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil
>.java:690)
>
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
>ncryptedKeyProcessor.java:145)
>
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(E
>ncryptedKeyProcessor.java:107)
>
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(Encrypte
>dKeyProcessor.java:87)
>
>
>
> thanks and regards,
>
> Bharath

--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Issue while using multiple webservices with WSS4J

2009-12-11T09:03:34Z

Hi All, We have client of two webservices A and B. Stand alone both the clients work fine. But if we hit webservice B first and then webservice A we get a handshake_exception. Invoking webservice B after webservice A works fine and after this as well webservice B continues to work. The different thing which we have done in webservice B is that we have used WSS4J based authentication. We have the following entry in client-config.wsdd Now what we have investigated is that when we comment the call to client-config.wsdd the authentication from webservice B fails both webservice A works fine. We tried use service level handler but the handler never gets invoked. The configuration we tried was Please let us know if any one has faced a similar issue before or point us to what is the problem in client-config.wsdd for the service level configuration. We have also tried and compaired SSL logs and verified that the session never gets overridden by other. Thanks and Regards, Amol

RE: Wss4j working with WebSphere?

2009-12-07T14:21:08Z

Hi, Colm,

I've just found some time in between my works to look into the failed
tests. They seems to be all related to the cases of signing the security
token using STR-Transform. Because in this case the Reference refers to
the security token indirectly via the <SecurityTokenReference> inside
the <Signature> and my change delayed the creation of the <Signature>
element until the very end, the resolver failed to find the referred
element in the original SOAP message.

At this point, I don't have a generic solution, but a workaround that
works on most cases but signing the security token. I think the root
cause is still that wss4j (more accurately xml-sec) used a set of DOM
objects to refer and change the <SignatureValue> and <DigestValue>, but
IBM WAS changed the DOM objects dynamically.

Should I create an issue in JIRA?

Gang

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@...]
Sent: Tuesday, November 24, 2009 12:01 PM
To: Yang, Gang CTR USA; wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Eclipse. I normally run tests from the command line, e.g. "mvn clean
install" or "mvn test".

Colm.

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: 24 November 2009 16:02
To: Colm O hEigeartaigh; wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi, Colm,

What's your dev env? I checked out 1_5_x-fixes branch into MyEclipse 7.5
and MyEclipse hung at "Initinalizging Java Tools" each time I restart
MyEclipse.

Gang

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@...]
Sent: Tuesday, November 24, 2009 6:33 AM
To: Yang, Gang CTR USA; wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi Gang,

If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?

Colm.

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: 18 November 2009 22:30
To: wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi,

After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.

I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.

Thanks,
Gang
PS: The modified WSSecSignature.build() code:

public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();

if (doDebug) {
log.debug("Beginning signing...");
}

prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());

if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}

addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);

//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}

computeSignature();
prependToHeader(secHeader);

return doc;
}

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@...
Subject: Wss4j working with WebSphere?

Hi,

Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?

Thanks,
Gang

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Antwort: RE: Question about x509 certificates

2009-12-04T01:47:52Z

<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif" />
Hi all

Another option might be XKMS or WS-Trust instead of a "proprietary"
protocol like LDAP (from a web services point of view).

Thanks
Oliver

"Dittmann, Werner
(NSN -
DE/Munich)" An
<werner.dittmann@ "ext Cole Ferrier"
nsn.com> <cole@...>,
<wss4j-dev@...>
04.12.2009 10:43 Kopie

Thema
RE: Question about x509
certificates

Cole,

the advise given by Daniel is correct. The Merlin implementation uses a
local
keystore based on JKS. Because you mention LDAP in your mail: IIRC someone
already implemented LDAP access to get certificates. I don't know who it
was but maybe you can ask here or try google :-) .

Regards,
Werner

From: ext Cole Ferrier [mailto:cole@...]
Sent: Thursday, December 03, 2009 11:22 PM
To: wss4j-dev@...
Subject: Fwd: Question about x509 certificates

I was referred to this list, from Daniel Kulp from the CXF list.

Here is what i'm trying to do:

I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me. I have a
service available that i can go and get all the public keys for anyone,
but i want to do that on demand, so that i don't have to maintain a local
key store. How could one go about doing this?

I wouldn't mind using a local key store to cache copies of the public key
once i looked them up once, but i don't want to have to have the key prior
to them calling me.

(Also I have a certificate revocation list, that i want to validate
against, which i could do at this point or later in the process).

He stated that i should look at implementing a

org.apache.ws.security.components.crypto.Crypto

Do you have any suggestions on where i should start?

Or is this not the right approach?

My use case is that we have a central group that manages x509 certs and
"flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication, then lookup
in ldap the flags on their account for authorization. (the authorization i
was going to do later in a CXF interceptor)

Thanks in advance,

Cole

---------- Forwarded message ----------
From: Daniel Kulp <dkulp@...>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@...
Cc: Cole Ferrier <cole@...>

On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i
have a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys
for
> anyone, but i want to do that on demand, so that i don't have to
maintain a
> local key store. How could one go about doing this?

This PROBABLY should be redirected to the WSS4J list. I THINK the only
way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto

object that implements all the needed methods. That's the class that
WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.

> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??

An interceptor could work here. Alternatively, the Crypto object you
create
above could just throw an exception if a revoked cert is asked for.

> 3) then the question comes to authorization, (since i've already done
the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per
service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get
(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that
they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work,
is
> this the right place for that?

Yep. You can simplify a bit by doing:

SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();

> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>

--
Daniel Kulp
dkulp@...
http://www.dankulp.com/blog

******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

RE: Question about x509 certificates

2009-12-04T01:43:21Z

Cole,

the advise given by Daniel is correct. The Merlin implementation uses a local

keystore based on JKS. Because you mention LDAP in your mail: IIRC someone

already implemented LDAP access to get certificates. I don't know who it

was but maybe you can ask here or try google :-) .

Regards,

Werner

From: ext Cole Ferrier [mailto:cole@...]
Sent: Thursday, December 03, 2009 11:22 PM
To: wss4j-dev@...
Subject: Fwd: Question about x509 certificates

I was referred to this list, from Daniel Kulp from the CXF list.

Here is what i'm trying to do:

I want to be able to accept an signed (not encrypted) message without having the public key in my keystore prior to someone calling me. I have a service available that i can go and get all the public keys for anyone, but i want to do that on demand, so that i don't have to maintain a local key store. How could one go about doing this?

I wouldn't mind using a local key store to cache copies of the public key once i looked them up once, but i don't want to have to have the key prior to them calling me.

(Also I have a certificate revocation list, that i want to validate against, which i could do at this point or later in the process).

He stated that i should look at implementing a

org.apache.ws.security.components.crypto.Crypto

Do you have any suggestions on where i should start?

Or is this not the right approach?

My use case is that we have a central group that manages x509 certs and "flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication, then lookup in ldap the flags on their account for authorization. (the authorization i was going to do later in a CXF interceptor)

Thanks in advance,

Cole

---------- Forwarded message ----------
From: Daniel Kulp <dkulp@...>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@...
Cc: Cole Ferrier <cole@...>

On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i have a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys for
> anyone, but i want to do that on demand, so that i don't have to maintain a
> local key store. How could one go about doing this?

This PROBABLY should be redirected to the WSS4J list. I THINK the only way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto

object that implements all the needed methods. That's the class that WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.

> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??

An interceptor could work here. Alternatively, the Crypto object you create
above could just throw an exception if a revoked cert is asked for.

> 3) then the question comes to authorization, (since i've already done the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
> this the right place for that?

Yep. You can simplify a bit by doing:

SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();

> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>

--
Daniel Kulp
dkulp@...
http://www.dankulp.com/blog

[jira] Commented: (WSS-203) Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.

2009-12-03T15:48:20Z

[ https://issues.apache.org/jira/browse/WSS-203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785647#action_12785647 ]

Mike Youngstrom commented on WSS-203:
-------------------------------------

With this issue fixed is the xmlsec dependency now optional for those on Java 6?

> Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.
> ------------------------------------------------------------------------------------------------------------
>
> Key: WSS-203
> URL: https://issues.apache.org/jira/browse/WSS-203
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.
> Colm.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Fwd: Question about x509 certificates

2009-12-03T14:21:32Z

I was referred to this list, from Daniel Kulp from the CXF list.

Here is what i'm trying to do:

I want to be able to accept an signed (not encrypted) message without having the public key in my keystore prior to someone calling me. I have a service available that i can go and get all the public keys for anyone, but i want to do that on demand, so that i don't have to maintain a local key store. How could one go about doing this?

I wouldn't mind using a local key store to cache copies of the public key once i looked them up once, but i don't want to have to have the key prior to them calling me.

(Also I have a certificate revocation list, that i want to validate against, which i could do at this point or later in the process).

He stated that i should look at implementing a

org.apache.ws.security.components.crypto.Crypto

Do you have any suggestions on where i should start?

Or is this not the right approach?

My use case is that we have a central group that manages x509 certs and "flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication, then lookup in ldap the flags on their account for authorization. (the authorization i was going to do later in a CXF interceptor)

Thanks in advance,

Cole

---------- Forwarded message ----------
From: Daniel Kulp <dkulp@...>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@...
Cc: Cole Ferrier <cole@...>

On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i have a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys for
> anyone, but i want to do that on demand, so that i don't have to maintain a
> local key store. How could one go about doing this?

This PROBABLY should be redirected to the WSS4J list. I THINK the only way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto

object that implements all the needed methods. That's the class that WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.

> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??

An interceptor could work here. Alternatively, the Crypto object you create
above could just throw an exception if a revoked cert is asked for.

> 3) then the question comes to authorization, (since i've already done the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is
> this the right place for that?

Yep. You can simplify a bit by doing:

SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();

> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>

--
Daniel Kulp
dkulp@...
http://www.dankulp.com/blog

how to have usernmae token authentication and SecureConversation using rampart

2009-12-02T07:09:10Z

Hi Team,

I have a requirement to engage rampart for username token authentication and sending and receiving signed and encrypt messages. But for authentication i have to pass the username and password from client program, instead of harding coding in policy.xml at client side. Could anyone please tell me how can i do this.

Thanks,
Swapna Soni.

RE: keyStore.isKeyEntry() returning false

2009-12-01T06:55:09Z

That's quite simple: the disPartner.jks does not contain a key
with that alias, only a certificate. The key in disPartner.jks
is named "dispartner".

Regards,
Werner

> -----Original Message-----
> From: ext NewToGit [mailto:omarnetbox@...]
> Sent: Monday, November 30, 2009 1:54 PM
> To: wss4j-dev@...
> Subject: keyStore.isKeyEntry() returning false
>
>
> Hi,
>
> I'm creating my KeyStore (disPartner.jks) as shown below but the
> isKeyEntry("dispubcer") method is returning false can someone
> tell me why
> please.
>
> But when I retrieve the certificate using
> getCertiticate("dispubcer") it
> finds it no problem.
>
> %-| please help me.
>
> echo 'Create dis store ... '
> $JAVA_HOME/bin/keytool -genkeypair -alias dis -keystore
> disStore.jks -dname
> "cn=dis" -keypass dispass -storepass dispass -keyalg rsa
> echo 'Self-sign dis ... '
> $JAVA_HOME/bin/keytool -selfcert -alias dis -keystore
> disStore.jks -keypass
> dispass -storepass dispass
> echo 'Export dis public key...'
> $JAVA_HOME/bin/keytool -export -keystore disStore.jks -alias
> dis -storepass
> dispass -file dispub.cer
>
> echo 'Create disPartner store ... '
> $JAVA_HOME/bin/keytool -genkeypair -alias dispartner -keystore
> disPartner.jks -dname "cn=dispartner" -keypass disPartnerpass
> -storepass
> disPartnerpass -keyalg rsa
> echo 'Self-sign disPartner ... '
> $JAVA_HOME/bin/keytool -selfcert -alias dispartner -keystore
> disPartner.jks
> -keypass disPartnerpass -storepass disPartnerpass
> echo 'Export disPartner public key...'
> $JAVA_HOME/bin/keytool -export -keystore disPartner.jks
> -alias dispartner
> -storepass disPartnerpass -file disPartnerpub.cer
>
> echo 'Import dispub.cer->disPartner.jks... '
> $JAVA_HOME/bin/keytool -import -alias dispubcer -file
> dispub.cer -keystore
> disPartner.jks -storepass disPartnerpass
> echo 'removing dispub.cer ...'
> rm dispub.cer
> echo 'Import disPartnerpub.cer->disStore.jks... '
> $JAVA_HOME/bin/keytool -import -alias disPartnerpubcert -file
> disPartnerpub.cer -keystore disStore.jks -storepass dispass
> echo 'removing disPartnerpub.cer ...'
> rm disPartnerpub.cer
>
> echo 'Done.'
>
> --
> View this message in context:
> http://old.nabble.com/keyStore.isKeyEntry%28%29-returning-fals
> e-tp26574263p26574263.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
> For additional commands, e-mail: wss4j-dev-help@...
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Axis 1.1 with WSS4J

2009-11-30T11:25:04Z

Axis 1.1 with WSS4J

Can I use WSS4J with Axis 1.1?

WSS4J documentation points to Axis 1.2.

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. The information contained in this e-mail was obtained from sources believed to be reliable; however, the accuracy or completeness of this information is not guaranteed. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Past performance is no guarantee of future results. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.

keyStore.isKeyEntry() returning false

2009-11-30T04:54:11Z

Hi,

I'm creating my KeyStore (disPartner.jks) as shown below but the isKeyEntry("dispubcer") method is returning false can someone tell me why please.

But when I retrieve the certificate using getCertiticate("dispubcer") it finds it no problem.

please help me.

echo 'Create dis store ... '
$JAVA_HOME/bin/keytool -genkeypair -alias dis -keystore disStore.jks -dname "cn=dis" -keypass dispass -storepass dispass -keyalg rsa
echo 'Self-sign dis ... '
$JAVA_HOME/bin/keytool -selfcert -alias dis -keystore disStore.jks -keypass dispass -storepass dispass
echo 'Export dis public key...'
$JAVA_HOME/bin/keytool -export -keystore disStore.jks -alias dis -storepass dispass -file dispub.cer

echo 'Create disPartner store ... '
$JAVA_HOME/bin/keytool -genkeypair -alias dispartner -keystore disPartner.jks -dname "cn=dispartner" -keypass disPartnerpass -storepass disPartnerpass -keyalg rsa
echo 'Self-sign disPartner ... '
$JAVA_HOME/bin/keytool -selfcert -alias dispartner -keystore disPartner.jks -keypass disPartnerpass -storepass disPartnerpass
echo 'Export disPartner public key...'
$JAVA_HOME/bin/keytool -export -keystore disPartner.jks -alias dispartner -storepass disPartnerpass -file disPartnerpub.cer

echo 'Import dispub.cer->disPartner.jks... '
$JAVA_HOME/bin/keytool -import -alias dispubcer -file dispub.cer -keystore disPartner.jks -storepass disPartnerpass
echo 'removing dispub.cer ...'
rm dispub.cer
echo 'Import disPartnerpub.cer->disStore.jks... '
$JAVA_HOME/bin/keytool -import -alias disPartnerpubcert -file disPartnerpub.cer -keystore disStore.jks -storepass dispass
echo 'removing disPartnerpub.cer ...'
rm disPartnerpub.cer

echo 'Done.'

RE: Wss4j working with WebSphere?

2009-11-24T09:01:05Z

Eclipse. I normally run tests from the command line, e.g. "mvn clean
install" or "mvn test".

Colm.

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: 24 November 2009 16:02
To: Colm O hEigeartaigh; wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi, Colm,

What's your dev env? I checked out 1_5_x-fixes branch into MyEclipse 7.5
and MyEclipse hung at "Initinalizging Java Tools" each time I restart
MyEclipse.

Gang

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@...]
Sent: Tuesday, November 24, 2009 6:33 AM
To: Yang, Gang CTR USA; wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi Gang,

If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?

Colm.

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: 18 November 2009 22:30
To: wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi,

After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.

I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.

Thanks,
Gang
PS: The modified WSSecSignature.build() code:

public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();

if (doDebug) {
log.debug("Beginning signing...");
}

prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());

if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}

addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);

//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}

computeSignature();
prependToHeader(secHeader);

return doc;
}

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@...
Subject: Wss4j working with WebSphere?

Hi,

Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?

Thanks,
Gang

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

RE: Wss4j working with WebSphere?

2009-11-24T08:02:08Z

Hi, Colm,

What's your dev env? I checked out 1_5_x-fixes branch into MyEclipse 7.5
and MyEclipse hung at "Initinalizging Java Tools" each time I restart
MyEclipse.

Gang

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@...]
Sent: Tuesday, November 24, 2009 6:33 AM
To: Yang, Gang CTR USA; wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi Gang,

If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?

Colm.

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: 18 November 2009 22:30
To: wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi,

After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.

I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.

Thanks,
Gang
PS: The modified WSSecSignature.build() code:

public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();

if (doDebug) {
log.debug("Beginning signing...");
}

prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());

if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}

addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);

//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}

computeSignature();
prependToHeader(secHeader);

return doc;
}

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@...
Subject: Wss4j working with WebSphere?

Hi,

Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?

Thanks,
Gang

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

RE: Wss4j working with WebSphere?

2009-11-24T03:32:51Z

Hi Gang,

If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?

Colm.

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: 18 November 2009 22:30
To: wss4j-dev@...
Subject: RE: Wss4j working with WebSphere?

Hi,

After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.

I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.

Thanks,
Gang
PS: The modified WSSecSignature.build() code:

public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();

if (doDebug) {
log.debug("Beginning signing...");
}

prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());

if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}

addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);

//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}

computeSignature();
prependToHeader(secHeader);

return doc;
}

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@...
Subject: Wss4j working with WebSphere?

Hi,

Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?

Thanks,
Gang

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

RE: Wss4j working with WebSphere?

2009-11-18T14:30:05Z

Hi,

After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.

I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.

Thanks,
Gang
PS: The modified WSSecSignature.build() code:

public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();

if (doDebug) {
log.debug("Beginning signing...");
}

prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());

if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}

addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);

//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}

computeSignature();
prependToHeader(secHeader);

return doc;
}

-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@...]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@...
Subject: Wss4j working with WebSphere?

Hi,

Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?

Thanks,
Gang

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Wss4j working with WebSphere?

2009-11-17T06:30:35Z

Hi,

Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?

Thanks,
Gang

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Re: WSS4J Encryption with public key ???

2009-11-13T11:36:41Z

Hi,
superk888 wrote:
> Yep, I've figured it out afterward. But when working with asymmetric
> encryption, aren't we suppose to have 2 possibilities with one key pair?
>
> - A encrypts with A's private key --> B decrypts with A's public key
>
It's a signature operation which happens with A's private key and B
verifies the signature with A's public key. if we use public key to
decrypt then many guys 'C', 'D', 'E', etc would decrypt the message,
which we don't want, we wanted only 'B' to decrypt as it's encrypted for
'B' only. Hence, encryption won't work here. This is a Signature, where
everyone can come to know that only 'A' has sent the message.

> - A encrypts with B's public key --> B decrypts with B's private key
>
This is right for Encryption. We do encryption so that only one guy 'B'
who has it's private key can decrypt. All other's won't be having 'B's
private key, hence can't decrypt.
> Besides, there is something wrong with the WSPasswordCallback class from
> WSS4J : this class uses a private key to decrypt a message. It logically
> throws an exception when we try to decrypt with a public key.
>
> But then, why the hell does it allow to encrypt with a private key?
>
I hope this helps.

With Regards,
Mayank

>
> Colm O hEigeartaigh wrote:
>
>>
>>> For an unknown reason to me, the crypto engine is looking for a
>>>
>> private
>>
>>> key in the specified keystore object, which actually only contains a
>>> certificate since it is the server's public key:confused:
>>>
>> The client needs a private key to decrypt the (encrypted) message
>> received from the server. The service should be configured to encrypt
>> the response using the client's public key.
>>
>> Colm.
>>
>> -----Original Message-----
>> From: superk888 [mailto:superk888@...]
>> Sent: 12 November 2009 12:04
>> To: wss4j-dev@...
>> Subject: WSS4J Encryption with public key ???
>>
>>
>> Hi everyone,
>>
>> I've implemented a Web Service that supports 2-ways encryption features
>> using the X.509 Certificates method. Everything works fine when using 2
>> pairs of keys as it is described in the Apache CXF documentation, but
>> what I
>> am trying to do, is to use only one pair of keys : server-side keeps its
>> own
>> private key and gives its public key to the service client.
>> Consequently,
>> client-side has to encrypt messages before sending with the server's
>> public
>> key, which should work since this is an asymmetric encryption method.
>>
>> Nevertheless, my service client succeeds to encrypt a message with the
>> server's public key but when the latter sends a response, my service
>> client
>> fails to decode the encrypted response. Is this case, I got the
>> following
>> error :
>>
>> 2009-11-12 12:55:22,261 [main] ERROR
>> org.apache.ws.security.components.crypto.CryptoBase - Cannot find key
>> for
>> alias: [myAlias] in keystore of type [jks] from provider [SUN version
>> 1.5]
>> with size [1] and aliases: {myAlias}
>> 12-nov.-2009 12:55:22
>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
>> handleMessage
>> ATTENTION:
>> org.apache.ws.security.WSSecurityException: The signature or decryption
>> was
>> invalid; nested exception is:
>> java.lang.Exception: Cannot find key for alias: [myAlias]
>> at ...
>> ...
>> Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
>> at
>> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypto
>> Base.java:214)
>> at
>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
>> y(EncryptedKeyProcessor.java:328)
>> ... 71 more
>> 12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain
>> doIntercept
>> ATTENTION: Interceptor has thrown exception, unwinding now
>> org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
>> invalid; nested exception is:
>>
>> For an unknown reason to me, the crypto engine is looking for a private
>> key
>> in the specified keystore object, which actually only contains a
>> certificate
>> since it is the server's public key:confused:
>>
>> What am I missing?
>> --
>> View this message in context:
>> http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26
>> 316077.html
>> Sent from the WSS4J mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
>> For additional commands, e-mail: wss4j-dev-help@...
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
>> For additional commands, e-mail: wss4j-dev-help@...
>>
>>
>>
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

RE: WSS4J Encryption with public key ???

2009-11-13T11:11:19Z

Yep, I've figured it out afterward. But when working with asymmetric encryption, aren't we suppose to have 2 possibilities with one key pair?

- A encrypts with A's private key --> B decrypts with A's public key
- A encrypts with B's public key --> B decrypts with B's private key

Besides, there is something wrong with the WSPasswordCallback class from WSS4J : this class uses a private key to decrypt a message. It logically throws an exception when we try to decrypt with a public key.

But then, why the hell does it allow to encrypt with a private key?

Colm O hEigeartaigh wrote:

> For an unknown reason to me, the crypto engine is looking for a
private
> key in the specified keystore object, which actually only contains a
> certificate since it is the server's public key:confused:

The client needs a private key to decrypt the (encrypted) message
received from the server. The service should be configured to encrypt
the response using the client's public key.

Colm.

-----Original Message-----
From: superk888 [mailto:superk888@gmail.com]
Sent: 12 November 2009 12:04
To: wss4j-dev@ws.apache.org
Subject: WSS4J Encryption with public key ???

Hi everyone,

I've implemented a Web Service that supports 2-ways encryption features
using the X.509 Certificates method. Everything works fine when using 2
pairs of keys as it is described in the Apache CXF documentation, but
what I
am trying to do, is to use only one pair of keys : server-side keeps its
own
private key and gives its public key to the service client.
Consequently,
client-side has to encrypt messages before sending with the server's
public
key, which should work since this is an asymmetric encryption method.

Nevertheless, my service client succeeds to encrypt a message with the
server's public key but when the latter sends a response, my service
client
fails to decode the encrypted response. Is this case, I got the
following
error :

2009-11-12 12:55:22,261 [main] ERROR
org.apache.ws.security.components.crypto.CryptoBase - Cannot find key
for
alias: [myAlias] in keystore of type [jks] from provider [SUN version
1.5]
with size [1] and aliases: {myAlias}
12-nov.-2009 12:55:22
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
ATTENTION:
org.apache.ws.security.WSSecurityException: The signature or decryption
was
invalid; nested exception is:
java.lang.Exception: Cannot find key for alias: [myAlias]
at ...
...
Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypto
Base.java:214)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:328)
... 71 more
12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain
doIntercept
ATTENTION: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid; nested exception is:

For an unknown reason to me, the crypto engine is looking for a private
key
in the specified keystore object, which actually only contains a
certificate
since it is the server's public key:confused:

What am I missing?
--
View this message in context:
http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26
316077.html
Sent from the WSS4J mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: WSS4J Encryption with public key ???

2009-11-13T09:38:45Z

> For an unknown reason to me, the crypto engine is looking for a
private
> key in the specified keystore object, which actually only contains a
> certificate since it is the server's public key:confused:

The client needs a private key to decrypt the (encrypted) message
received from the server. The service should be configured to encrypt
the response using the client's public key.

Colm.

-----Original Message-----
From: superk888 [mailto:superk888@...]
Sent: 12 November 2009 12:04
To: wss4j-dev@...
Subject: WSS4J Encryption with public key ???

Hi everyone,

I've implemented a Web Service that supports 2-ways encryption features
using the X.509 Certificates method. Everything works fine when using 2
pairs of keys as it is described in the Apache CXF documentation, but
what I
am trying to do, is to use only one pair of keys : server-side keeps its
own
private key and gives its public key to the service client.
Consequently,
client-side has to encrypt messages before sending with the server's
public
key, which should work since this is an asymmetric encryption method.

Nevertheless, my service client succeeds to encrypt a message with the
server's public key but when the latter sends a response, my service
client
fails to decode the encrypted response. Is this case, I got the
following
error :

2009-11-12 12:55:22,261 [main] ERROR
org.apache.ws.security.components.crypto.CryptoBase - Cannot find key
for
alias: [myAlias] in keystore of type [jks] from provider [SUN version
1.5]
with size [1] and aliases: {myAlias}
12-nov.-2009 12:55:22
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
ATTENTION:
org.apache.ws.security.WSSecurityException: The signature or decryption
was
invalid; nested exception is:
java.lang.Exception: Cannot find key for alias: [myAlias]
at ...
...
Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypto
Base.java:214)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:328)
... 71 more
12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain
doIntercept
ATTENTION: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid; nested exception is:

For an unknown reason to me, the crypto engine is looking for a private
key
in the specified keystore object, which actually only contains a
certificate
since it is the server's public key:confused:

What am I missing?
--
View this message in context:
http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26
316077.html
Sent from the WSS4J mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

Server-side: updating keystore?

2009-11-12T14:35:24Z

Hi everyone,

What follows isn't an issue I'm currently running into but it is actually a situation I could face pretty soon:

I've implemented a web service (Code First) which is deployed via spring-based xml configuration file in a Tomcat server. My service also implements security by referencing a keystore and a truststore.
Suppose I wanna add a new client to my service. Its public key should be added to the server-side truststore and normally, the Tomcat server should be restarted, since WSS4J loads keystores' content only once, at the service deployment.

So here's what I am wondering : would it be possible to dynamically update a keystore object without having to turn off the application server, even for a brief moment?

WSS4J Encryption with public key ???

2009-11-12T04:04:29Z

Hi everyone,

I've implemented a Web Service that supports 2-ways encryption features using the X.509 Certificates method. Everything works fine when using 2 pairs of keys as it is described in the Apache CXF documentation, but what I am trying to do, is to use only one pair of keys : server-side keeps its own private key and gives its public key to the service client. Consequently, client-side has to encrypt messages before sending with the server's public key, which should work since this is an asymmetric encryption method.

Nevertheless, my service client succeeds to encrypt a message with the server's public key but when the latter sends a response, my service client fails to decode the encrypted response. Is this case, I got the following error :

2009-11-12 12:55:22,261 [main] ERROR org.apache.ws.security.components.crypto.CryptoBase - Cannot find key for alias: [myAlias] in keystore of type [jks] from provider [SUN version 1.5] with size [1] and aliases: {myAlias}
12-nov.-2009 12:55:22 org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
ATTENTION:
org.apache.ws.security.WSSecurityException: The signature or decryption was invalid; nested exception is:
java.lang.Exception: Cannot find key for alias: [myAlias]
at ...
...
Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
at org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:214)
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
... 71 more
12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain doIntercept
ATTENTION: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid; nested exception is:

For an unknown reason to me, the crypto engine is looking for a private key in the specified keystore object, which actually only contains a certificate since it is the server's public key

What am I missing?

[jira] Commented: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T06:47:27Z

[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775438#action_12775438 ]

Michel Schudel commented on WSS-218:
------------------------------------

Thanks.

> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Colm O hEigeartaigh
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.

[jira] Commented: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T06:41:27Z

[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775437#action_12775437 ]

Colm O hEigeartaigh commented on WSS-218:
-----------------------------------------

> Have you fixed this bug (wss-218) in the private method (getAliasForX509Cert(String, BigInteger) explicitly too?

Yes, check the subversion diff given in WSS-218.

Colm.

[jira] Commented: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T06:35:27Z

[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775435#action_12775435 ]

Michel Schudel commented on WSS-218:
------------------------------------

Colm,

The patch supplied in WSS-210 does not fix this issue, which is in a different method: getAliasForX509Cert(Certificate).

Have you fixed this bug (wss-218) in the private method (getAliasForX509Cert(String, BigInteger) explicitly too?

Regards,

Michel

[jira] Resolved: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T06:25:29Z

[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-218.
-------------------------------------

Resolution: Duplicate
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)

This has already been fixed for 1.5.9:

https://issues.apache.org/jira/browse/WSS-210

Colm.

[jira] Closed: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T06:25:29Z

[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed WSS-218.
-----------------------------------

[jira] Updated: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T05:49:27Z

[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michel Schudel updated WSS-218:
-------------------------------

Description:
We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only the correct certificates but also a lot of secret (3DES) keys.
The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate entry, resulting in a null return when the first alias found is a (secret) key.

Please wrap line 334-353 in version 1.5.8 as follows:
if (keystore.isCertificateEntry(alias) {
(line 334-353)
}

That should do it.

was:
We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only the correct certificates but also a lot of secret (3DES) keys.
The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate entry, resulting in a null return when the first alias found is a (secret) key.

Please wrap line 334-353 in version 1.5.8 as follows:
if (keystore.isCertificate(alias) {
(line 334-353)
}

That should do it.

> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.

[jira] Created: (WSS-218) getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates

2009-11-10T05:47:28Z

getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates
------------------------------------------------------------------------------------------------------

Key: WSS-218
URL: https://issues.apache.org/jira/browse/WSS-218
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.5.8
Reporter: Michel Schudel
Assignee: Ruchith Udayanga Fernando

We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only the correct certificates but also a lot of secret (3DES) keys.
The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate entry, resulting in a null return when the first alias found is a (secret) key.

Please wrap line 334-353 in version 1.5.8 as follows:
if (keystore.isCertificate(alias) {
(line 334-353)
}

That should do it.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

RE: help: directReference, senderVouches & X509Certificate

2009-11-09T10:00:18Z

Hi,

I've tried setting the SIG_KEY_ID to "X509KeyIdentifier" and SKIKeyIdentifier and get an GeneralSecurityError that they are an "Unsupported Key Identification".

Is there some other approach you would recommend?

Thanks,

-- Steve

Colm O hEigeartaigh wrote:

Hi,

WSS4J does not currently support constructing a KeyInfo object that
includes the X509 Cert in x509Data. According to the SOAP Message
Security spec:

"However, in this specification, the use of <wsse:BinarySecurityToken>
is the RECOMMENDED mechanism to carry key material if the key type
contains binary data."

You have a few other options to use for referring to a Key from a
signature:

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#SIG_KEY_ID

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#keyIdentifier

Colm.

-----Original Message-----
From: vroom [mailto:vroom3@gmail.com]
Sent: 06 November 2009 23:25
To: wss4j-dev@ws.apache.org
Subject: help: directReference, senderVouches & X509Certificate

I have a integration test coming up and have been trying for a few days
to
figure out how to format a client-side SOAP message so it will be
accepted
by a service. The example client message I've been shown requires
senderVouches and has the clients' x509 certificate being transferred to
the
service in the KeyInfo like so:

keyInfo
x509Data
x509Certificate

The message I'm generating with senderVouches and directReference places
provides:

Wsse:securityTokenReference
wsse:BinarySecurityToken in header

keyInfo
SecurityTokenReference
Reference to BinarySecurityToken

My requirement therefore is to remove the
SecurityTokenReference/BinarySecurityToken from the header and add the
x509certificate to the KeyInfo.

The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3

I'm trying to get it upgraded but its a very long and tedious process.
Will
an upgrade supply this functionality?

--
View this message in context:
http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer
tificate-tp26230917p26230917.html
Sent from the WSS4J mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

[jira] Commented: (WSS-213) Running TestWSSecurityNewST2 Fails - General security error (No certificates were found for SAML signature)

2009-11-09T04:50:32Z

[ https://issues.apache.org/jira/browse/WSS-213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774952#action_12774952 ]

Colm O hEigeartaigh commented on WSS-213:
-----------------------------------------

> How would I find out what types of SAML Assertions can be created and controlled through the properties files like (saml and crypto) as opposed to using the API directly?

Probably the best way is to look at the source:

http://ws.apache.org/wss4j/xref/org/apache/ws/security/saml/SAMLIssuerFactory.html
http://ws.apache.org/wss4j/xref/org/apache/ws/security/saml/SAMLIssuerImpl.html

> And it sounds like the type of SAML Token that I want to create is not possible this way

Yes, the range of SAML assertions that can be generated through the properties file is quite limited.

Colm.

> Running TestWSSecurityNewST2 Fails - General security error (No certificates were found for SAML signature)
> -----------------------------------------------------------------------------------------------------------
>
> Key: WSS-213
> URL: https://issues.apache.org/jira/browse/WSS-213
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: OS = Ubuntu 9.04
> Eclipse = JEE Eclipse, Galileo, STS, m2eclipse
> JDK = java-6-sun-1.6.0.16, java-1.5.0-sun-1.5.0.19 (attempted as well)
> Reporter: Jay Blanton
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: wss4j.saml-jks.tar.gz, wss4j.saml.tar.gz
>
>
> I pulled down the 1.5.8, 1.5.8-SNAPSHOT, and pulled down the trunk for 1.6.
> I tried to build the trunk by doing a mvn package -Dmaven.test.skip=true (because quite a few unit tests fail).
> Then I try to run TestWSSecurityNewST2 and it fails.
> This is the exact issue I am having when trying to get my Spring Web Service Implementation to work with WSS4J's SAML Support (which it appears that Spring does not expose so I have to create a custom Interceptor).
> I have working examples of a digital signature, encryption, and UsernameToken with Spring Web Services support for SAML, but the SAML is not working. So I specifically went to the WSS4J examples to see if I could get those working first, and then working with my keystores, but the default test does not work for me that shipped with WSS4J.
> [INFO] Scanning for projects...
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Ping Web Service Client
> [INFO]
> [INFO] Id: com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> [INFO] task-segment: [package]
> [INFO] ------------------------------------------------------------------------
> [INFO] [resources:resources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:compile]
> [INFO] Compiling 10 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [jibx:bind]
> [INFO] Not running JiBX binding compiler (single-module mode) - no binding files
> [INFO] [resources:testResources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:testCompile]
> [INFO] Compiling 4 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/test-classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [surefire:test]
> [INFO] Surefire report directory: /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> -------------------------------------------------------
> T E S T S
> -------------------------------------------------------
> Running wssec.TestWSSecurityNewST2
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml3.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.222 sec <<< FAILURE!
> Results :
> Tests in error:
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2)
> testWSS62(wssec.TestWSSecurityNewST2)
> Tests run: 5, Failures: 0, Errors: 5, Skipped: 0
> [ERROR]
> Mojo:
> org.apache.maven.plugins:maven-surefire-plugin:2.4.2:test
> FAILED for project:
> com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> Reason:
> There are test failures.
> Please refer to /home/jay/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports for the individual test results.
> [INFO] ------------------------------------------------------------------------
> [INFO] For more information, run with the -e flag
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILED
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 16 seconds
> [INFO] Finished at: Wed Oct 07 13:29:03 PDT 2009
> [INFO] Final Memory: 4M/25M
> [INFO] ------------------------------------------------------------------------
> Here is the errors from the test report:
> -------------------------------------------------------------------------------
> Test set: wssec.TestWSSecurityNewST2
> -------------------------------------------------------------------------------
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.731 sec <<< FAILURE!
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2) Time elapsed: 0.486 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouches(TestWSSecurityNewST2.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2) Time elapsed: 0.064 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouchesKeyIdentifier(TestWSSecurityNewST2.java:156)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2) Time elapsed: 0.156 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testDefaultIssuerClass(TestWSSecurityNewST2.java:200)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testWSS62(wssec.TestWSSecurityNewST2) Time elapsed: 0.011 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testWSS62(TestWSSecurityNewST2.java:241)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)

RE: help: directReference, senderVouches & X509Certificate

2009-11-09T04:44:27Z

Hi,

WSS4J does not currently support constructing a KeyInfo object that
includes the X509 Cert in x509Data. According to the SOAP Message
Security spec:

"However, in this specification, the use of <wsse:BinarySecurityToken>
is the RECOMMENDED mechanism to carry key material if the key type
contains binary data."

You have a few other options to use for referring to a Key from a
signature:

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#SIG_KEY_ID

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#keyIdentifier

Colm.

-----Original Message-----
From: vroom [mailto:vroom3@...]
Sent: 06 November 2009 23:25
To: wss4j-dev@...
Subject: help: directReference, senderVouches & X509Certificate

I have a integration test coming up and have been trying for a few days
to
figure out how to format a client-side SOAP message so it will be
accepted
by a service. The example client message I've been shown requires
senderVouches and has the clients' x509 certificate being transferred to
the
service in the KeyInfo like so:

keyInfo
x509Data
x509Certificate

The message I'm generating with senderVouches and directReference places
provides:

Wsse:securityTokenReference
wsse:BinarySecurityToken in header

keyInfo
SecurityTokenReference
Reference to BinarySecurityToken

My requirement therefore is to remove the
SecurityTokenReference/BinarySecurityToken from the header and add the
x509certificate to the KeyInfo.

The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3

I'm trying to get it upgraded but its a very long and tedious process.
Will
an upgrade supply this functionality?

--
View this message in context:
http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer
tificate-tp26230917p26230917.html
Sent from the WSS4J mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@...
For additional commands, e-mail: wss4j-dev-help@...

how to specify keyInfo content type?

2009-11-08T15:13:49Z

How do you configure wss4j/opensaml to provide a keyInfo containing something other than the default BST? In this case I'm looking for a x509certificate. I'm currently stuck with wss4j 1.5.1 and opensaml 1.0.1 (hopefully not for much longer).

Thanks

help: directReference, senderVouches & X509Certificate

2009-11-06T15:24:58Z

I have a integration test coming up and have been trying for a few days to figure out how to format a client-side SOAP message so it will be accepted by a service. The example client message I've been shown requires senderVouches and has the clients' x509 certificate being transferred to the service in the KeyInfo like so:

keyInfo
x509Data
x509Certificate

The message I'm generating with senderVouches and directReference places provides:

Wsse:securityTokenReference
wsse:BinarySecurityToken in header

keyInfo
SecurityTokenReference
Reference to BinarySecurityToken

My requirement therefore is to remove the SecurityTokenReference/BinarySecurityToken from the header and add the x509certificate to the KeyInfo.

The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3

I'm trying to get it upgraded but its a very long and tedious process. Will an upgrade supply this functionality?

[jira] Resolved: (WSS-217) Add ability to specify a reference to an absolute URI in the derived key functionality

2009-11-06T03:57:32Z

[ https://issues.apache.org/jira/browse/WSS-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved WSS-217.
-------------------------------------

Resolution: Fixed

> Add ability to specify a reference to an absolute URI in the derived key functionality
> --------------------------------------------------------------------------------------
>
> Key: WSS-217
> URL: https://issues.apache.org/jira/browse/WSS-217
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
>
> Currently, WSSecDKSign and WSSecDKEncrypt only allow references using a relative URI. This is problematic for the case of refering to a SecurityContextToken via the wsc:Identifier, which must be an absolute reference.