You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ted Roeloffzen <te...@gmail.com> on 2013/08/01 12:45:55 UTC
Re: CXF WS-security policy question
Hi Andrei,
The problem is that i don't have a keystore.
The certificate is loaded from the database.
kind regards,
Ted
2013/7/30 Andrei Shakirin <as...@talend.com>
> Hi Ted,
>
> I see that your crypto provider returns null for private keys and says
> always false by verifyTrust().
> If you manage your private keys in keystore, you should initialize default
> WSS4J Merlin crypto provider with that keystore and delegate
> getPrivateKey() calls to Merlin.
> verifyTrust() must validate certificate (you can just return true for
> quick test).
>
> As a sample look into XKMS Crypto provider implementation contributed with
> XKMS:
> https://svn.apache.org/repos/asf/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto.
>
> Some information you will find in my blog:
> http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html.
>
> Regards,
> Andrei.
>
> From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com]
> Sent: Dienstag, 30. Juli 2013 11:51
> To: Andrei Shakirin
> Subject: Re: CXF WS-security policy question
>
> Hi all,
>
> This is a code snippet of what i'm doing.
>
> public class TestCertificateProviderInterceptor extends
> AbstractPhaseInterceptor<Message>
> {
> public static class TestCertificateHolder extends CryptoBase
> {
> protected X509Certificate trustedCert;
>
> public TestCertificateHolder (X509Certificate trustedCert)
> {
> this.trustedCert = trustedCert;
> setDefaultX509Identifier("");
> }
>
> @Override
> public X509Certificate[] getX509Certificates(CryptoType
> cryptoType){
> X509Certificate[] certificates = {trustedCert};
> return certificates; }
>
> @Override
> public String getX509Identifier(X509Certificate cert)
> {
> return null;
> }
>
> @Override
> public PrivateKey getPrivateKey(X509Certificate certificate,
> CallbackHandler callbackHandler)
> {
> return null;
> }
>
> @Override
> public PrivateKey getPrivateKey(String identifier, String password)
> {
> return null;
> }
>
> @Override
> @Deprecated
> public boolean verifyTrust(X509Certificate[] certs)
> {
> return false;
> }
>
> @Override
> public boolean verifyTrust(X509Certificate[] certs, boolean
> enableRevocation)
> {
> return false;
> }
>
> @Override
> public boolean verifyTrust(PublicKey publicKey)
> {
> return false;
> }
>
> }
>
> private CertificateHolder holder;
>
> public TestCertificateProviderInterceptor(CertificateHolder holder)
> {
> super(Phase.PRE_LOGICAL);
> this.holder = holder;
> }
>
> @Override
> public void handleMessage(Message message) throws Fault
> {
> TestCertificateHolder store =
> new TestCertificateHolder (holder.getCertificate());
>
> message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO,
> store);
> }
> }
> Could it be a problem that I'm not overriding the standard implementation
> of the verifyTrust-methods?
> king regards,
>
> Ted Roeloffzen
>
>
> 2013/7/12 Andrei Shakirin <ashakirin@talend.com<mailto:
> ashakirin@talend.com>>
> Hi Ted,
>
> I used own CryptoBase extension for signature and encryption, so basically
> it should work.
> How you set the SIGNATURE_CRYPTO crypto, in configuration or in
> interceptor? Do you apply it to whole client or to message?
>
> Simple test case will be of course very helpful. Absolutely not a problem
> to get it in two weeks or later.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com<mailto:
> ted.roeloffzen@gmail.com>]
> > Sent: Freitag, 12. Juli 2013 16:06
> > To: users; Colm O hEigeartaigh
> > Subject: Re: CXF WS-security policy question
> >
> > Hi Colm,
> >
> > I hoped there would be a quick fix for the problem, because i'm going on
> a
> > vacation tomorrow and won't be taking my laptop with me.
> > Because of my vacation i'm unable to create a test case or a patch.
> > If this problem is still there in 2 weeks, i would be happy to take a
> look at it.
> >
> > kind regards,
> >
> > Ted
> >
> >
> > 2013/7/12 Colm O hEigeartaigh <coheigea@apache.org<mailto:
> coheigea@apache.org>>
> >
> > > Hi Ted,
> > >
> > > It's likely there are some bugs in the code surrounding the use of
> > > such a Crypto implementation. Would it be possible to share a
> > > test-case or are you interested in providing a patch for this issue?
> > >
> > > Colm.
> > >
> > >
> > > On Fri, Jul 12, 2013 at 2:41 PM, Ted Roeloffzen
> > > <te...@gmail.com>
> > > >wrote:
> > >
> > > > Hi Andrei,
> > > >
> > > > Thanks for your advice.
> > > > I created a class thats implements Crypto, actually it extends
> > > CryptoBase,
> > > > but now i get the message: No callback handler and no password
> > > > available Do I have to repeat the same thing here? Just create
> > > > somewhat of a dummy implementation of CallbackHandler?
> > > >
> > > > Kind regards,
> > > >
> > > > Ted
> > > >
> > > >
> > > > 2013/7/12 Andrei Shakirin <ashakirin@talend.com<mailto:
> ashakirin@talend.com>>
> > > >
> > > > > Hi Ted,
> > > > >
> > > > > I assume that your CertificateStore object implements wss4j
> > > > > org.apache.ws.security.components.crypto .Crypto interface, does
> it?
> > > > > The reason why CXF needs SIGNATURE_USERNAME property is the
> > following:
> > > > > even single CXF client can be used by multiple users having
> > > > > different private and public keys.
> > > > > Therefore Crypto interface provides method getX509Certificates()
> > > > > with CryptoType argument, that specifies keystore alias (or other
> > > > > X509
> > > > > identifier) to be used.
> > > > >
> > > > > If you always has only one user and single certificate, you can
> > > > > provide any non-empty value in Crypto.getDefaultX509Identifier()
> > > > > method and
> > > just
> > > > > ignore it in Crypto.getX509Certificates().
> > > > >
> > > > > Regards,
> > > > > Andrei.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com<mailto:
> ted.roeloffzen@gmail.com>]
> > > > > > Sent: Freitag, 12. Juli 2013 11:31
> > > > > > To: users
> > > > > > Subject: CXF WS-security policy question
> > > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > I'm trying to create a webservice client that uses the
> > > > > > securitypolicy
> > > > > which is
> > > > > > specified in the WSDL.
> > > > > > As the certificate that is used for this client has to be loaded
> > > > > > from
> > > > the
> > > > > > database i created a Interceptor that sets the SIGNATURE_CRYPTO
> > > > property
> > > > > > with a CertificateStore object that contains the correct
> certificate.
> > > > > > When i try to send a message i get the following error-message:
> > > > > > No configured signature username detected
> > > > > >
> > > > > > Because there is only one certificate in the CertificateStore,
> > > > > > there
> > > is
> > > > > no need
> > > > > > for a username. But nonetheless I get this error.
> > > > > >
> > > > > > Can anyone point me in the right direction?
> > > > > >
> > > > > > Greate many thanks.
> > > > > >
> > > > > > Kind regards,
> > > > > >
> > > > > > Ted Roeloffzen
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
>
>
RE: CXF WS-security policy question
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
Not sure that is good idea to save private keys in the database, but if you have a good reasons for that - just read private key from db, create java PrivateKey object and return it in getPrivateKey() methods of Crypto provider.
Regards,
Andrei.
> -----Original Message-----
> From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com]
> Sent: Donnerstag, 1. August 2013 12:46
> To: users
> Subject: Re: CXF WS-security policy question
>
> Hi Andrei,
>
> The problem is that i don't have a keystore.
> The certificate is loaded from the database.
>
> kind regards,
>
> Ted
>
>
> 2013/7/30 Andrei Shakirin <as...@talend.com>
>
> > Hi Ted,
> >
> > I see that your crypto provider returns null for private keys and says
> > always false by verifyTrust().
> > If you manage your private keys in keystore, you should initialize
> > default WSS4J Merlin crypto provider with that keystore and delegate
> > getPrivateKey() calls to Merlin.
> > verifyTrust() must validate certificate (you can just return true for
> > quick test).
> >
> > As a sample look into XKMS Crypto provider implementation contributed
> > with
> > XKMS:
> > https://svn.apache.org/repos/asf/cxf/trunk/services/xkms/xkms-
> client/src/main/java/org/apache/cxf/xkms/crypto.
> >
> > Some information you will find in my blog:
> > http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-
> from.html.
> >
> > Regards,
> > Andrei.
> >
> > From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com]
> > Sent: Dienstag, 30. Juli 2013 11:51
> > To: Andrei Shakirin
> > Subject: Re: CXF WS-security policy question
> >
> > Hi all,
> >
> > This is a code snippet of what i'm doing.
> >
> > public class TestCertificateProviderInterceptor extends
> > AbstractPhaseInterceptor<Message> {
> > public static class TestCertificateHolder extends CryptoBase
> > {
> > protected X509Certificate trustedCert;
> >
> > public TestCertificateHolder (X509Certificate trustedCert)
> > {
> > this.trustedCert = trustedCert;
> > setDefaultX509Identifier("");
> > }
> >
> > @Override
> > public X509Certificate[] getX509Certificates(CryptoType
> > cryptoType){
> > X509Certificate[] certificates = {trustedCert};
> > return certificates; }
> >
> > @Override
> > public String getX509Identifier(X509Certificate cert)
> > {
> > return null;
> > }
> >
> > @Override
> > public PrivateKey getPrivateKey(X509Certificate certificate,
> > CallbackHandler callbackHandler)
> > {
> > return null;
> > }
> >
> > @Override
> > public PrivateKey getPrivateKey(String identifier, String password)
> > {
> > return null;
> > }
> >
> > @Override
> > @Deprecated
> > public boolean verifyTrust(X509Certificate[] certs)
> > {
> > return false;
> > }
> >
> > @Override
> > public boolean verifyTrust(X509Certificate[] certs, boolean
> > enableRevocation)
> > {
> > return false;
> > }
> >
> > @Override
> > public boolean verifyTrust(PublicKey publicKey)
> > {
> > return false;
> > }
> >
> > }
> >
> > private CertificateHolder holder;
> >
> > public TestCertificateProviderInterceptor(CertificateHolder holder)
> > {
> > super(Phase.PRE_LOGICAL);
> > this.holder = holder;
> > }
> >
> > @Override
> > public void handleMessage(Message message) throws Fault
> > {
> > TestCertificateHolder store =
> > new TestCertificateHolder (holder.getCertificate());
> >
> > message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO,
> > store);
> > }
> > }
> > Could it be a problem that I'm not overriding the standard
> > implementation of the verifyTrust-methods?
> > king regards,
> >
> > Ted Roeloffzen
> >
> >
> > 2013/7/12 Andrei Shakirin <ashakirin@talend.com<mailto:
> > ashakirin@talend.com>>
> > Hi Ted,
> >
> > I used own CryptoBase extension for signature and encryption, so
> > basically it should work.
> > How you set the SIGNATURE_CRYPTO crypto, in configuration or in
> > interceptor? Do you apply it to whole client or to message?
> >
> > Simple test case will be of course very helpful. Absolutely not a
> > problem to get it in two weeks or later.
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com<mailto:
> > ted.roeloffzen@gmail.com>]
> > > Sent: Freitag, 12. Juli 2013 16:06
> > > To: users; Colm O hEigeartaigh
> > > Subject: Re: CXF WS-security policy question
> > >
> > > Hi Colm,
> > >
> > > I hoped there would be a quick fix for the problem, because i'm
> > > going on
> > a
> > > vacation tomorrow and won't be taking my laptop with me.
> > > Because of my vacation i'm unable to create a test case or a patch.
> > > If this problem is still there in 2 weeks, i would be happy to take
> > > a
> > look at it.
> > >
> > > kind regards,
> > >
> > > Ted
> > >
> > >
> > > 2013/7/12 Colm O hEigeartaigh <coheigea@apache.org<mailto:
> > coheigea@apache.org>>
> > >
> > > > Hi Ted,
> > > >
> > > > It's likely there are some bugs in the code surrounding the use of
> > > > such a Crypto implementation. Would it be possible to share a
> > > > test-case or are you interested in providing a patch for this issue?
> > > >
> > > > Colm.
> > > >
> > > >
> > > > On Fri, Jul 12, 2013 at 2:41 PM, Ted Roeloffzen
> > > > <te...@gmail.com>
> > > > >wrote:
> > > >
> > > > > Hi Andrei,
> > > > >
> > > > > Thanks for your advice.
> > > > > I created a class thats implements Crypto, actually it extends
> > > > CryptoBase,
> > > > > but now i get the message: No callback handler and no password
> > > > > available Do I have to repeat the same thing here? Just create
> > > > > somewhat of a dummy implementation of CallbackHandler?
> > > > >
> > > > > Kind regards,
> > > > >
> > > > > Ted
> > > > >
> > > > >
> > > > > 2013/7/12 Andrei Shakirin <ashakirin@talend.com<mailto:
> > ashakirin@talend.com>>
> > > > >
> > > > > > Hi Ted,
> > > > > >
> > > > > > I assume that your CertificateStore object implements wss4j
> > > > > > org.apache.ws.security.components.crypto .Crypto interface,
> > > > > > does
> > it?
> > > > > > The reason why CXF needs SIGNATURE_USERNAME property is the
> > > following:
> > > > > > even single CXF client can be used by multiple users having
> > > > > > different private and public keys.
> > > > > > Therefore Crypto interface provides method
> > > > > > getX509Certificates() with CryptoType argument, that specifies
> > > > > > keystore alias (or other
> > > > > > X509
> > > > > > identifier) to be used.
> > > > > >
> > > > > > If you always has only one user and single certificate, you
> > > > > > can provide any non-empty value in
> > > > > > Crypto.getDefaultX509Identifier() method and
> > > > just
> > > > > > ignore it in Crypto.getX509Certificates().
> > > > > >
> > > > > > Regards,
> > > > > > Andrei.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Ted Roeloffzen [mailto:ted.roeloffzen@gmail.com<mailto:
> > ted.roeloffzen@gmail.com>]
> > > > > > > Sent: Freitag, 12. Juli 2013 11:31
> > > > > > > To: users
> > > > > > > Subject: CXF WS-security policy question
> > > > > > >
> > > > > > > Hi All,
> > > > > > >
> > > > > > > I'm trying to create a webservice client that uses the
> > > > > > > securitypolicy
> > > > > > which is
> > > > > > > specified in the WSDL.
> > > > > > > As the certificate that is used for this client has to be
> > > > > > > loaded from
> > > > > the
> > > > > > > database i created a Interceptor that sets the
> > > > > > > SIGNATURE_CRYPTO
> > > > > property
> > > > > > > with a CertificateStore object that contains the correct
> > certificate.
> > > > > > > When i try to send a message i get the following error-message:
> > > > > > > No configured signature username detected
> > > > > > >
> > > > > > > Because there is only one certificate in the
> > > > > > > CertificateStore, there
> > > > is
> > > > > > no need
> > > > > > > for a username. But nonetheless I get this error.
> > > > > > >
> > > > > > > Can anyone point me in the right direction?
> > > > > > >
> > > > > > > Greate many thanks.
> > > > > > >
> > > > > > > Kind regards,
> > > > > > >
> > > > > > > Ted Roeloffzen
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> >
> >