You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by vroom <vr...@gmail.com> on 2009/11/07 00:24:58 UTC

help: directReference, senderVouches & X509Certificate


I have a integration test coming up and have been trying for a few days to
figure out how to format a client-side SOAP message so it will be accepted
by a service.  The example client message I've been shown requires
senderVouches and has the clients' x509 certificate being transferred to the
service in the KeyInfo like so:

keyInfo
	x509Data
		x509Certificate

The message I'm generating with senderVouches and directReference places
provides:


Wsse:securityTokenReference
	wsse:BinarySecurityToken in header

keyInfo
	SecurityTokenReference
		Reference to BinarySecurityToken 

My requirement therefore is to remove the
SecurityTokenReference/BinarySecurityToken from the header and add the
x509certificate to the KeyInfo.

The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3

I'm trying to get it upgraded but its a very long and tedious process. Will
an upgrade supply this functionality?




-- 
View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Certificate-tp26230917p26230917.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: help: directReference, senderVouches & X509Certificate

Posted by vroom <vr...@gmail.com>.


Hi,

I've tried setting the SIG_KEY_ID to "X509KeyIdentifier" and
SKIKeyIdentifier and get an GeneralSecurityError that they are an 
"Unsupported Key Identification".

Is there some other approach you would recommend?  

Thanks,

-- Steve


Colm O hEigeartaigh wrote:
> 
> Hi,
> 
> WSS4J does not currently support constructing a KeyInfo object that
> includes the X509 Cert in x509Data. According to the SOAP Message
> Security spec:
> 
> "However, in this specification, the use of <wsse:BinarySecurityToken>
> is the RECOMMENDED mechanism to carry key material if the key type
> contains binary data."
> 
> You have a few other options to use for referring to a Key from a
> signature:
> 
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
> lerConstants.html#SIG_KEY_ID
> 
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
> lerConstants.html#keyIdentifier
> 
> Colm.
> 
> -----Original Message-----
> From: vroom [mailto:vroom3@gmail.com] 
> Sent: 06 November 2009 23:25
> To: wss4j-dev@ws.apache.org
> Subject: help: directReference, senderVouches & X509Certificate
> 
> 
> 
> I have a integration test coming up and have been trying for a few days
> to
> figure out how to format a client-side SOAP message so it will be
> accepted
> by a service.  The example client message I've been shown requires
> senderVouches and has the clients' x509 certificate being transferred to
> the
> service in the KeyInfo like so:
> 
> keyInfo
> 	x509Data
> 		x509Certificate
> 
> The message I'm generating with senderVouches and directReference places
> provides:
> 
> 
> Wsse:securityTokenReference
> 	wsse:BinarySecurityToken in header
> 
> keyInfo
> 	SecurityTokenReference
> 		Reference to BinarySecurityToken 
> 
> My requirement therefore is to remove the
> SecurityTokenReference/BinarySecurityToken from the header and add the
> x509certificate to the KeyInfo.
> 
> The software stack I'm using is:
> xFire 1.2.6
> Wss4j 1.5.1
> openSaml 1.0.1
> Xmlsecurity 1.3
> 
> I'm trying to get it upgraded but its a very long and tedious process.
> Will
> an upgrade supply this functionality?
> 
> 
> 
> 
> -- 
> View this message in context:
> http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer
> tificate-tp26230917p26230917.html
> Sent from the WSS4J mailing list archive at Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Certificate-tp26230917p26270886.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: help: directReference, senderVouches & X509Certificate

Posted by Colm O hEigeartaigh <co...@progress.com>.

Hi,

WSS4J does not currently support constructing a KeyInfo object that
includes the X509 Cert in x509Data. According to the SOAP Message
Security spec:

"However, in this specification, the use of <wsse:BinarySecurityToken>
is the RECOMMENDED mechanism to carry key material if the key type
contains binary data."

You have a few other options to use for referring to a Key from a
signature:

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#SIG_KEY_ID

http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#keyIdentifier

Colm.

-----Original Message-----
From: vroom [mailto:vroom3@gmail.com] 
Sent: 06 November 2009 23:25
To: wss4j-dev@ws.apache.org
Subject: help: directReference, senderVouches & X509Certificate



I have a integration test coming up and have been trying for a few days
to
figure out how to format a client-side SOAP message so it will be
accepted
by a service.  The example client message I've been shown requires
senderVouches and has the clients' x509 certificate being transferred to
the
service in the KeyInfo like so:

keyInfo
	x509Data
		x509Certificate

The message I'm generating with senderVouches and directReference places
provides:


Wsse:securityTokenReference
	wsse:BinarySecurityToken in header

keyInfo
	SecurityTokenReference
		Reference to BinarySecurityToken 

My requirement therefore is to remove the
SecurityTokenReference/BinarySecurityToken from the header and add the
x509certificate to the KeyInfo.

The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3

I'm trying to get it upgraded but its a very long and tedious process.
Will
an upgrade supply this functionality?




-- 
View this message in context:
http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer
tificate-tp26230917p26230917.html
Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org