You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Paul Grillo <Pa...@trivininc.com> on 2005/08/07 17:54:44 UTC

Accessing Public Certificate for Encryption

I have been working on trying to get a full circle set of services to
work with .NET and MS Policies, etc.  Started slow, making project with
axis, ws-addressing, and wss4j.

 

I've actually been successful and am now trying to set up the real
certificates and private keys I will be using.

 

I moved to a PKCS12 keystore that I'm managing with keyman.  I have a
private key and a public certificate that is linked to its CAs. (2 in
the hierarchy)

 

I have a question and a confirmation of what I've done.

 

==============

1) I am signing body parts and addresses with the private key. Note that
the private key doesn't have a password on it,   That appears to work, I
am accessing the keystore properly, etc.

 

I am now "simply" trying to encrypt using a key in a public certificate.
When I looked at the certificate in keytool I really couldn't figure out
what the "identity" or "name" was that I should use.  It contained a
very long "belongs to" field, Issued by, Serial Number, Type of Key
(RSA/1024), Fingerprint, and a few other things.  I assume I need to
supply an ID in the encryptionUser parameter.  So, I decided to attach a
"label" using keyman to this certificate, called "whatever".  

 

So my key parameters are:

                        

        <parameter name="encryptionKeyIdentifier"
value="X509KeyIdentifier"/>

        <parameter name="encryptionUser" value="whatever"/>

I've also tried different values for "encryptionKeyIdentifier".

 

When I run this I get:

- Initializing JAX-RPC handler
org.apache.axis.message.addressing.handler.AxisClientSideAddressingHandl
er...

- Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]

 

unknown attr1.2.840.113549.1.9.22

unknown attr1.2.840.113549.1.9.22

unknown attr1.2.840.113549.1.9.22

{http://xml.apache.org/axis/}stackTrace:WSDoAllSender: Encryption: error
during message processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for Encryption)

It appears to be happening on the line:

            X509Certificate[] certs = crypto.getCertificates(user);

where user = "whatever" and certs comes back with nothing.

So it appears I can't seem to get a reference to this certificate.

 

Are the parameters set up correctly?  Is there something somebody could
suggest?  I have gotten this to work with a certificate and alias in a
JKS formatted keystore, but I've got other problems getting stuff in and
out of that keystore.

 

Any help will be much appreciated,

 

If you've gotten this far, maybe somebody could confirm the following.

 

When signing with a private key, and the private key has no password
associated with it, I get a callback for a password in my callback class
but I am expected to return something or I get an exception for a null
password.  So I figured I'd send back the password of the keystore (not
the key), and that worked.  Interesting, since the keystore password had
already been supplied in the properties file.  So is the rule, when in
doubt and you have no password on a key or certificate, pass back the
keystore password?

 

thanks again.