You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Oliver Wulff <ol...@zurich.ch> on 2008/06/30 19:38:20 UTC
PKCS12 support with Merlin
Hi there
I use WSS4J 1.5.1.
I've created the following merlin properties file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.alias.password=changeit
org.apache.ws.security.crypto.merlin.file=TestService.p12
I can list the content of the p12 file with keytool like this:
keytool -list -alias 1 -keystore TestService.p12 -storetype pkcs12 -v
The alias "1" seems to exist:
Aliasname: 1
Erstellungsdatum: 30.06.2008:
Eintragstyp: keyEntry
Zertifikatskettenlõnge: 2
Zertifikat[1]:
......
In the code I do the following:
WSSecEncrypt encryptor = new WSSecEncrypt();.
Crypto crypto = CryptoFactory.getInstance("server.properties");
java.security.cert.X509Certificate[] certs = crypto.getCertificates("1");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Vector<WSEncryptionPart> parts = new Vector<WSEncryptionPart>();
WSEncryptionPart part = new WSEncryptionPart(soapconstants
.getBodyQName().getLocalPart(), soapconstants
.getEnvelopeURI(), "Content");,
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("1");
doc = encryptor.build(doc, crypto, secHeader);
but I get the following exception:
org.apache.ws.security.WSSecurityException: General security error
(Unexpected number of X509Data: for Encryption)
at org.apache.ws.security.message.WSSecEncrypt.prepare
(WSSecEncrypt.java:211)
at org.apache.ws.security.message.WSSecEncrypt.build
(WSSecEncrypt.java:253)
If I use a java keystore, it works.
Thanks for your help
Oliver
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Antwort: RE: PKCS12 support with Merlin
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Hi Oliver,
>From an quick investigation, it appears that the problem only occurs for pkcs12 files which do not have the "alias" set properly, i.e. it shows up as "1" or "2".
For example, for the file keys/keystore.p12 in the wss4j trunk:
openssl pkcs12 -in keystore.p12 -clcerts
Enter Import Password:
MAC verified OK
Bag Attributes
localKeyID: 57 E4 6A 08 06 2B 6E 0E DF 67 95 B3 54 B5 84 34 BA 5D 7A 81
friendlyName: dims
Note the "friendlyName" attribute. However, when this is missing, the alias shows up as "1" or "2" when inspected using keytool, and BouncyCastle appears to use the SHA-1 of the certificate instead.
Interestingly, using a different provider gives a different result, i.e. if you modify the Merlin properties file to add:
org.apache.ws.security.crypto.merlin.keystore.provider=SunJSSE
Inspecting the same keystore (with no friendlyName) using this provider yields the alias "1".
Colm.
-----Original Message-----
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: 02 July 2008 11:07
To: zurich.ch, oliver.wulff
Cc: wss4j-dev
Subject: RE: Antwort: RE: PKCS12 support with Merlin
Oliver,
Can you attach your keystore and I'll take a look?
Colm.
-----Original Message-----
From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
Sent: 02 July 2008 09:56
To: O hEigeartaigh, Colm
Cc: wss4j-dev
Subject: Antwort: RE: PKCS12 support with Merlin
Hi Colm
I've found the following message:
http://marc.info/?l=wss4j-dev&m=115306290420476&w=2
Even the keytool tells me that the alias is "1" I have to use SHA1
fingerprint as the alias to access the certificate. After this update, it
works fine.
Is this a bug in WSS4J or anywhere else?
Thanks
Oliver
"O hEigeartaigh,
Colm" An: "Oliver Wulff" <ol...@zurich.ch>, "wss4j-dev"
<Colm.OhEigeartaig <ws...@ws.apache.org>
h@iona.com> Kopie:
Thema: RE: PKCS12 support with Merlin
01.07.2008 16:15
Hi Oliver,
WSS4J does support using PKCS12 via the Merlin properties file, I ran the
following test using the mainline and it worked fine:
Crypto.properties:
g.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
PKCS12 file:
keytool -list -alias 16c73ab6-b892-458f-abf5-2f875f74882
e -keystore x509.PFX.MSFT -storetype pkcs12 -v
Enter keystore password: security
Alias name: 16c73ab6-b892-458f-abf5-2f875f74882e
Creation date: 01-Jul-2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=dims
Issuer: CN=dims
Serial number: 21614ef708d3c5924ec5c806b41a8655
Valid from: Mon May 12 17:41:17 BST 2003 until: Sat Dec 31 23:59:59 GMT
2039
Certificate fingerprints:
MD5: F1:43:38:7C:6B:6B:E0:FA:95:EC:9A:83:25:71:B1:2A
SHA1: E5:EA:56:F4:68:4B:EA:CD:24:0B:D5:FD:7A:0B:11:67:DD:28:A1:E1
Code:
Document doc = unsignedEnvelope.getAsDocument();
WSSecEncrypt encryptor = new WSSecEncrypt();
Crypto crypto = CryptoFactory.getInstance("crypto.properties");
java.security.cert.X509Certificate[] certs =
crypto.getCertificates("16c73ab6-b892-458f-abf5-2f875f74882e");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
java.util.Vector parts = new java.util.Vector();
org.apache.ws.security.SOAPConstants soapConstants =
new org.apache.ws.security.SOAP11Constants();
org.apache.ws.security.WSEncryptionPart part = new
org.apache.ws.security.WSEncryptionPart(soapConstants
.getBodyQName().getLocalPart(), soapConstants
.getEnvelopeURI(), "Content");
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e");
doc = encryptor.build(doc, crypto, secHeader);
I'm not sure whether it's supported in WSS4J 1.5.1 or not. Can you try your
code with 1.5.4 to make sure? Otherwise, maybe your TestService.p12 is
suspect.
Colm.
-----Original Message-----
From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
Sent: 30 June 2008 18:38
To: wss4j-dev
Subject: PKCS12 support with Merlin
Hi there
I use WSS4J 1.5.1.
I've created the following merlin properties file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.alias.password=changeit
org.apache.ws.security.crypto.merlin.file=TestService.p12
I can list the content of the p12 file with keytool like this:
keytool -list -alias 1 -keystore TestService.p12 -storetype pkcs12 -v
The alias "1" seems to exist:
Aliasname: 1
Erstellungsdatum: 30.06.2008:
Eintragstyp: keyEntry
Zertifikatskettenlõnge: 2
Zertifikat[1]:
......
In the code I do the following:
WSSecEncrypt encryptor = new WSSecEncrypt();.
Crypto crypto = CryptoFactory.getInstance("server.properties");
java.security.cert.X509Certificate[] certs = crypto.getCertificates("1");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Vector<WSEncryptionPart> parts = new Vector<WSEncryptionPart>();
WSEncryptionPart part = new WSEncryptionPart(soapconstants
.getBodyQName().getLocalPart(), soapconstants
.getEnvelopeURI(), "Content");,
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("1");
doc = encryptor.build(doc, crypto, secHeader);
but I get the following exception:
org.apache.ws.security.WSSecurityException: General security error
(Unexpected number of X509Data: for Encryption)
at org.apache.ws.security.message.WSSecEncrypt.prepare
(WSSecEncrypt.java:211)
at org.apache.ws.security.message.WSSecEncrypt.build
(WSSecEncrypt.java:253)
If I use a java keystore, it works.
Thanks for your help
Oliver
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Antwort: RE: PKCS12 support with Merlin
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Oliver,
Can you attach your keystore and I'll take a look?
Colm.
-----Original Message-----
From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
Sent: 02 July 2008 09:56
To: O hEigeartaigh, Colm
Cc: wss4j-dev
Subject: Antwort: RE: PKCS12 support with Merlin
Hi Colm
I've found the following message:
http://marc.info/?l=wss4j-dev&m=115306290420476&w=2
Even the keytool tells me that the alias is "1" I have to use SHA1
fingerprint as the alias to access the certificate. After this update, it
works fine.
Is this a bug in WSS4J or anywhere else?
Thanks
Oliver
"O hEigeartaigh,
Colm" An: "Oliver Wulff" <ol...@zurich.ch>, "wss4j-dev"
<Colm.OhEigeartaig <ws...@ws.apache.org>
h@iona.com> Kopie:
Thema: RE: PKCS12 support with Merlin
01.07.2008 16:15
Hi Oliver,
WSS4J does support using PKCS12 via the Merlin properties file, I ran the
following test using the mainline and it worked fine:
Crypto.properties:
g.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
PKCS12 file:
keytool -list -alias 16c73ab6-b892-458f-abf5-2f875f74882
e -keystore x509.PFX.MSFT -storetype pkcs12 -v
Enter keystore password: security
Alias name: 16c73ab6-b892-458f-abf5-2f875f74882e
Creation date: 01-Jul-2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=dims
Issuer: CN=dims
Serial number: 21614ef708d3c5924ec5c806b41a8655
Valid from: Mon May 12 17:41:17 BST 2003 until: Sat Dec 31 23:59:59 GMT
2039
Certificate fingerprints:
MD5: F1:43:38:7C:6B:6B:E0:FA:95:EC:9A:83:25:71:B1:2A
SHA1: E5:EA:56:F4:68:4B:EA:CD:24:0B:D5:FD:7A:0B:11:67:DD:28:A1:E1
Code:
Document doc = unsignedEnvelope.getAsDocument();
WSSecEncrypt encryptor = new WSSecEncrypt();
Crypto crypto = CryptoFactory.getInstance("crypto.properties");
java.security.cert.X509Certificate[] certs =
crypto.getCertificates("16c73ab6-b892-458f-abf5-2f875f74882e");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
java.util.Vector parts = new java.util.Vector();
org.apache.ws.security.SOAPConstants soapConstants =
new org.apache.ws.security.SOAP11Constants();
org.apache.ws.security.WSEncryptionPart part = new
org.apache.ws.security.WSEncryptionPart(soapConstants
.getBodyQName().getLocalPart(), soapConstants
.getEnvelopeURI(), "Content");
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e");
doc = encryptor.build(doc, crypto, secHeader);
I'm not sure whether it's supported in WSS4J 1.5.1 or not. Can you try your
code with 1.5.4 to make sure? Otherwise, maybe your TestService.p12 is
suspect.
Colm.
-----Original Message-----
From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
Sent: 30 June 2008 18:38
To: wss4j-dev
Subject: PKCS12 support with Merlin
Hi there
I use WSS4J 1.5.1.
I've created the following merlin properties file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.alias.password=changeit
org.apache.ws.security.crypto.merlin.file=TestService.p12
I can list the content of the p12 file with keytool like this:
keytool -list -alias 1 -keystore TestService.p12 -storetype pkcs12 -v
The alias "1" seems to exist:
Aliasname: 1
Erstellungsdatum: 30.06.2008:
Eintragstyp: keyEntry
Zertifikatskettenlõnge: 2
Zertifikat[1]:
......
In the code I do the following:
WSSecEncrypt encryptor = new WSSecEncrypt();.
Crypto crypto = CryptoFactory.getInstance("server.properties");
java.security.cert.X509Certificate[] certs = crypto.getCertificates("1");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Vector<WSEncryptionPart> parts = new Vector<WSEncryptionPart>();
WSEncryptionPart part = new WSEncryptionPart(soapconstants
.getBodyQName().getLocalPart(), soapconstants
.getEnvelopeURI(), "Content");,
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("1");
doc = encryptor.build(doc, crypto, secHeader);
but I get the following exception:
org.apache.ws.security.WSSecurityException: General security error
(Unexpected number of X509Data: for Encryption)
at org.apache.ws.security.message.WSSecEncrypt.prepare
(WSSecEncrypt.java:211)
at org.apache.ws.security.message.WSSecEncrypt.build
(WSSecEncrypt.java:253)
If I use a java keystore, it works.
Thanks for your help
Oliver
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Antwort: RE: PKCS12 support with Merlin
Posted by Oliver Wulff <ol...@zurich.ch>.
Hi Colm
I've found the following message:
http://marc.info/?l=wss4j-dev&m=115306290420476&w=2
Even the keytool tells me that the alias is "1" I have to use SHA1
fingerprint as the alias to access the certificate. After this update, it
works fine.
Is this a bug in WSS4J or anywhere else?
Thanks
Oliver
"O hEigeartaigh,
Colm" An: "Oliver Wulff" <ol...@zurich.ch>, "wss4j-dev"
<Colm.OhEigeartaig <ws...@ws.apache.org>
h@iona.com> Kopie:
Thema: RE: PKCS12 support with Merlin
01.07.2008 16:15
Hi Oliver,
WSS4J does support using PKCS12 via the Merlin properties file, I ran the
following test using the mainline and it worked fine:
Crypto.properties:
g.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
PKCS12 file:
keytool -list -alias 16c73ab6-b892-458f-abf5-2f875f74882
e -keystore x509.PFX.MSFT -storetype pkcs12 -v
Enter keystore password: security
Alias name: 16c73ab6-b892-458f-abf5-2f875f74882e
Creation date: 01-Jul-2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=dims
Issuer: CN=dims
Serial number: 21614ef708d3c5924ec5c806b41a8655
Valid from: Mon May 12 17:41:17 BST 2003 until: Sat Dec 31 23:59:59 GMT
2039
Certificate fingerprints:
MD5: F1:43:38:7C:6B:6B:E0:FA:95:EC:9A:83:25:71:B1:2A
SHA1: E5:EA:56:F4:68:4B:EA:CD:24:0B:D5:FD:7A:0B:11:67:DD:28:A1:E1
Code:
Document doc = unsignedEnvelope.getAsDocument();
WSSecEncrypt encryptor = new WSSecEncrypt();
Crypto crypto = CryptoFactory.getInstance("crypto.properties");
java.security.cert.X509Certificate[] certs =
crypto.getCertificates("16c73ab6-b892-458f-abf5-2f875f74882e");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
java.util.Vector parts = new java.util.Vector();
org.apache.ws.security.SOAPConstants soapConstants =
new org.apache.ws.security.SOAP11Constants();
org.apache.ws.security.WSEncryptionPart part = new
org.apache.ws.security.WSEncryptionPart(soapConstants
.getBodyQName().getLocalPart(), soapConstants
.getEnvelopeURI(), "Content");
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e");
doc = encryptor.build(doc, crypto, secHeader);
I'm not sure whether it's supported in WSS4J 1.5.1 or not. Can you try your
code with 1.5.4 to make sure? Otherwise, maybe your TestService.p12 is
suspect.
Colm.
-----Original Message-----
From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
Sent: 30 June 2008 18:38
To: wss4j-dev
Subject: PKCS12 support with Merlin
Hi there
I use WSS4J 1.5.1.
I've created the following merlin properties file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.alias.password=changeit
org.apache.ws.security.crypto.merlin.file=TestService.p12
I can list the content of the p12 file with keytool like this:
keytool -list -alias 1 -keystore TestService.p12 -storetype pkcs12 -v
The alias "1" seems to exist:
Aliasname: 1
Erstellungsdatum: 30.06.2008:
Eintragstyp: keyEntry
Zertifikatskettenlõnge: 2
Zertifikat[1]:
......
In the code I do the following:
WSSecEncrypt encryptor = new WSSecEncrypt();.
Crypto crypto = CryptoFactory.getInstance("server.properties");
java.security.cert.X509Certificate[] certs = crypto.getCertificates("1");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Vector<WSEncryptionPart> parts = new Vector<WSEncryptionPart>();
WSEncryptionPart part = new WSEncryptionPart(soapconstants
.getBodyQName().getLocalPart(), soapconstants
.getEnvelopeURI(), "Content");,
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("1");
doc = encryptor.build(doc, crypto, secHeader);
but I get the following exception:
org.apache.ws.security.WSSecurityException: General security error
(Unexpected number of X509Data: for Encryption)
at org.apache.ws.security.message.WSSecEncrypt.prepare
(WSSecEncrypt.java:211)
at org.apache.ws.security.message.WSSecEncrypt.build
(WSSecEncrypt.java:253)
If I use a java keystore, it works.
Thanks for your help
Oliver
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: PKCS12 support with Merlin
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Hi Oliver,
WSS4J does support using PKCS12 via the Merlin properties file, I ran the following test using the mainline and it worked fine:
Crypto.properties:
g.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
org.apache.ws.security.crypto.merlin.alias.password=security
org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
PKCS12 file:
keytool -list -alias 16c73ab6-b892-458f-abf5-2f875f74882
e -keystore x509.PFX.MSFT -storetype pkcs12 -v
Enter keystore password: security
Alias name: 16c73ab6-b892-458f-abf5-2f875f74882e
Creation date: 01-Jul-2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=dims
Issuer: CN=dims
Serial number: 21614ef708d3c5924ec5c806b41a8655
Valid from: Mon May 12 17:41:17 BST 2003 until: Sat Dec 31 23:59:59 GMT 2039
Certificate fingerprints:
MD5: F1:43:38:7C:6B:6B:E0:FA:95:EC:9A:83:25:71:B1:2A
SHA1: E5:EA:56:F4:68:4B:EA:CD:24:0B:D5:FD:7A:0B:11:67:DD:28:A1:E1
Code:
Document doc = unsignedEnvelope.getAsDocument();
WSSecEncrypt encryptor = new WSSecEncrypt();
Crypto crypto = CryptoFactory.getInstance("crypto.properties");
java.security.cert.X509Certificate[] certs = crypto.getCertificates("16c73ab6-b892-458f-abf5-2f875f74882e");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
java.util.Vector parts = new java.util.Vector();
org.apache.ws.security.SOAPConstants soapConstants =
new org.apache.ws.security.SOAP11Constants();
org.apache.ws.security.WSEncryptionPart part = new org.apache.ws.security.WSEncryptionPart(soapConstants
.getBodyQName().getLocalPart(), soapConstants
.getEnvelopeURI(), "Content");
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e");
doc = encryptor.build(doc, crypto, secHeader);
I'm not sure whether it's supported in WSS4J 1.5.1 or not. Can you try your code with 1.5.4 to make sure? Otherwise, maybe your TestService.p12 is suspect.
Colm.
-----Original Message-----
From: Oliver Wulff [mailto:oliver.wulff@zurich.ch]
Sent: 30 June 2008 18:38
To: wss4j-dev
Subject: PKCS12 support with Merlin
Hi there
I use WSS4J 1.5.1.
I've created the following merlin properties file:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=1
org.apache.ws.security.crypto.merlin.alias.password=changeit
org.apache.ws.security.crypto.merlin.file=TestService.p12
I can list the content of the p12 file with keytool like this:
keytool -list -alias 1 -keystore TestService.p12 -storetype pkcs12 -v
The alias "1" seems to exist:
Aliasname: 1
Erstellungsdatum: 30.06.2008:
Eintragstyp: keyEntry
Zertifikatskettenlõnge: 2
Zertifikat[1]:
......
In the code I do the following:
WSSecEncrypt encryptor = new WSSecEncrypt();.
Crypto crypto = CryptoFactory.getInstance("server.properties");
java.security.cert.X509Certificate[] certs = crypto.getCertificates("1");
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Vector<WSEncryptionPart> parts = new Vector<WSEncryptionPart>();
WSEncryptionPart part = new WSEncryptionPart(soapconstants
.getBodyQName().getLocalPart(), soapconstants
.getEnvelopeURI(), "Content");,
parts.add(part);
encryptor.setParts(parts);
encryptor.setUserInfo("1");
doc = encryptor.build(doc, crypto, secHeader);
but I get the following exception:
org.apache.ws.security.WSSecurityException: General security error
(Unexpected number of X509Data: for Encryption)
at org.apache.ws.security.message.WSSecEncrypt.prepare
(WSSecEncrypt.java:211)
at org.apache.ws.security.message.WSSecEncrypt.build
(WSSecEncrypt.java:253)
If I use a java keystore, it works.
Thanks for your help
Oliver
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org