You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by vroom <vr...@gmail.com> on 2009/11/07 00:24:58 UTC
help: directReference, senderVouches & X509Certificate
I have a integration test coming up and have been trying for a few days to
figure out how to format a client-side SOAP message so it will be accepted
by a service. The example client message I've been shown requires
senderVouches and has the clients' x509 certificate being transferred to the
service in the KeyInfo like so:
keyInfo
x509Data
x509Certificate
The message I'm generating with senderVouches and directReference places
provides:
Wsse:securityTokenReference
wsse:BinarySecurityToken in header
keyInfo
SecurityTokenReference
Reference to BinarySecurityToken
My requirement therefore is to remove the
SecurityTokenReference/BinarySecurityToken from the header and add the
x509certificate to the KeyInfo.
The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3
I'm trying to get it upgraded but its a very long and tedious process. Will
an upgrade supply this functionality?
--
View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Certificate-tp26230917p26230917.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: help: directReference, senderVouches & X509Certificate
Posted by vroom <vr...@gmail.com>.
Hi,
I've tried setting the SIG_KEY_ID to "X509KeyIdentifier" and
SKIKeyIdentifier and get an GeneralSecurityError that they are an
"Unsupported Key Identification".
Is there some other approach you would recommend?
Thanks,
-- Steve
Colm O hEigeartaigh wrote:
>
> Hi,
>
> WSS4J does not currently support constructing a KeyInfo object that
> includes the X509 Cert in x509Data. According to the SOAP Message
> Security spec:
>
> "However, in this specification, the use of <wsse:BinarySecurityToken>
> is the RECOMMENDED mechanism to carry key material if the key type
> contains binary data."
>
> You have a few other options to use for referring to a Key from a
> signature:
>
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
> lerConstants.html#SIG_KEY_ID
>
> http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
> lerConstants.html#keyIdentifier
>
> Colm.
>
> -----Original Message-----
> From: vroom [mailto:vroom3@gmail.com]
> Sent: 06 November 2009 23:25
> To: wss4j-dev@ws.apache.org
> Subject: help: directReference, senderVouches & X509Certificate
>
>
>
> I have a integration test coming up and have been trying for a few days
> to
> figure out how to format a client-side SOAP message so it will be
> accepted
> by a service. The example client message I've been shown requires
> senderVouches and has the clients' x509 certificate being transferred to
> the
> service in the KeyInfo like so:
>
> keyInfo
> x509Data
> x509Certificate
>
> The message I'm generating with senderVouches and directReference places
> provides:
>
>
> Wsse:securityTokenReference
> wsse:BinarySecurityToken in header
>
> keyInfo
> SecurityTokenReference
> Reference to BinarySecurityToken
>
> My requirement therefore is to remove the
> SecurityTokenReference/BinarySecurityToken from the header and add the
> x509certificate to the KeyInfo.
>
> The software stack I'm using is:
> xFire 1.2.6
> Wss4j 1.5.1
> openSaml 1.0.1
> Xmlsecurity 1.3
>
> I'm trying to get it upgraded but its a very long and tedious process.
> Will
> an upgrade supply this functionality?
>
>
>
>
> --
> View this message in context:
> http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer
> tificate-tp26230917p26230917.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Certificate-tp26230917p26270886.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: help: directReference, senderVouches & X509Certificate
Posted by Colm O hEigeartaigh <co...@progress.com>.
Hi,
WSS4J does not currently support constructing a KeyInfo object that
includes the X509 Cert in x509Data. According to the SOAP Message
Security spec:
"However, in this specification, the use of <wsse:BinarySecurityToken>
is the RECOMMENDED mechanism to carry key material if the key type
contains binary data."
You have a few other options to use for referring to a Key from a
signature:
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#SIG_KEY_ID
http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand
lerConstants.html#keyIdentifier
Colm.
-----Original Message-----
From: vroom [mailto:vroom3@gmail.com]
Sent: 06 November 2009 23:25
To: wss4j-dev@ws.apache.org
Subject: help: directReference, senderVouches & X509Certificate
I have a integration test coming up and have been trying for a few days
to
figure out how to format a client-side SOAP message so it will be
accepted
by a service. The example client message I've been shown requires
senderVouches and has the clients' x509 certificate being transferred to
the
service in the KeyInfo like so:
keyInfo
x509Data
x509Certificate
The message I'm generating with senderVouches and directReference places
provides:
Wsse:securityTokenReference
wsse:BinarySecurityToken in header
keyInfo
SecurityTokenReference
Reference to BinarySecurityToken
My requirement therefore is to remove the
SecurityTokenReference/BinarySecurityToken from the header and add the
x509certificate to the KeyInfo.
The software stack I'm using is:
xFire 1.2.6
Wss4j 1.5.1
openSaml 1.0.1
Xmlsecurity 1.3
I'm trying to get it upgraded but its a very long and tedious process.
Will
an upgrade supply this functionality?
--
View this message in context:
http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer
tificate-tp26230917p26230917.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org