You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-user@axis.apache.org by Manjula Peiris <ma...@wso2.com> on 2007/08/14 13:20:30 UTC
RE: [Rampart/C | Neethi/C] Possible to get the current
x509security certificate from a policy?
On Tue, 2007-08-14 at 09:34 +0100, Jamie Lyon wrote:
Hi Jamie,
Neethi/C Security policy extension is for building and ordering the
security header. It has nothing to do with the content of the payload.
So in your requirement to include the security token in the payload You
need to do it in your own. You can use OpenSSL directly to read from
certficate or can use methods in rampart/src/omxmlsec/openssl
seperately. please see rampart/src/omxmlsec/openssl/x509.C to get an
idea of using openssl functions.
Thanks
-Manjula.
> Sorry for not being overly clear.
>
> Basically I've loaded a policy using:
> neethi_policy* policy = neethi_util_create_policy_from_file( axisEnv,
> fileName );
>
> Then applied it to the service client using:
> axis2_svc_client_set_policy( svcClient, axisEnv, policy );
>
> Now if possible I would like to be able to get the OpenSSL structures
> (i.e. the struct named 'X509'); or just some way of obtaining the
> subject DN and certificate string from the certificate in that policy.
>
> I suppose the filename of that certificate would also suffice, as I
> could then load it in manually, though a pre-loaded one would be
> preferable.
>
> The ultimate goal is to access the current security token to include it
> in my message payload (not as part of the security header, or
> ws-security, which is why I was wary about mentioning rampart).
>
> Hopefully that clears things up :)
>
> Cheers,
> Jamie
>
>
> > -----Original Message-----
> > From: Manjula Peiris [mailto:manjula@wso2.com]
> > Sent: 14 August 2007 05:01
> > To: Apache AXIS C User List
> > Subject: Re: [Rampart/C | Neethi/C] Possible to get the current
> > x509security certificate from a policy?
> >
> > Hi Jamie,
> >
> > Please see my comments inline. BTW Your requirement is not very clear.
> > Can you please emphasize more on this.
> >
> >
> > On Mon, 2007-08-13 at 16:51 +0100, Jamie Lyon wrote:
> > > Hi,
> > >
> > >
> > >
> > > Is it possible to get the OpenSSL construct (or some other form) of
> > > policy out of the current neethi policy?
> > OpenSSL functions are called from Rampart/C, not through Neethi. Here
> > what do You mean by OpenSSL construct of policy?
> >
> >
> > > I'm basically trying to get the subjectDN and base64 encoded cert to
> > > include in my message. I can encode the data to a base64 string from
> a
> > > char array, so no worries there, so long as I can somehow access the
> > > data.
> > If you have the buffer containing the base64 string of the key you can
> > attached it to the message by setting it in the rampart_context. You
> can
> > use the following functions,
> >
> > rampart_context_set_certificate() and
> > rampart_context_set_certificate_type.
> >
> > But to do this you need to create a rampart_context outside of rampart
> > and set it as a value in a axis2_parameter called
> RAMPART_CONFIGURATION.
> > Otherwise you need to change the code.
> >
> > -Manjula
> > >
> > >
> > >
> > > Any suggestions are highly welcome.
> > >
> > >
> > >
> > > Cheers,
> > > Jamie
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-c-user-help@ws.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
RE: [Rampart/C | Neethi/C] Possible to get the currentx509securitycertificate from a policy?
Posted by Jamie Lyon <jl...@it-innovation.soton.ac.uk>.
Excellent, the following code works fine. Thanks very much for your
help.
-----
rp_secpolicy_t* policy = rp_secpolicy_builder_build( axisEnv, policy );
rampart_context_t* context = rampart_context_create( axisEnv );
rampart_context_set_secpolicy( context, axisEnv, policy );
axis2_char_t* filename = rampart_context_get_certificate_file( context,
axisEnv );
rampart_context_free( context, axisEnv );
X509* cert = NULL;
openssl_x509_load_from_pem( axisEnv, filename, &cert );
-----
Cheers,
Jamie
> -----Original Message-----
> From: Manjula Peiris [mailto:manjula@wso2.com]
> Sent: 15 August 2007 10:16
> To: Apache AXIS C User List
> Subject: RE: [Rampart/C | Neethi/C] Possible to get the
> currentx509securitycertificate from a policy?
>
> Hi Jamie,
>
> See my comments in line.
>
> On Tue, 2007-08-14 at 12:38 +0100, Jamie Lyon wrote:
> > Thanks, that part is fine -- there's some very useful helper
functions
> > there.
> >
> > My primary question however is that in my policy.xml I've got:
> > <rampc:RampartConfig
> > xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> > <rampc:Certificate>/my/path/mycert.pem</rampc:Certificate>
> > <rampc:PrivateKey>/my/path/mykey.pem</rampc:PrivateKey>
> > </rampc:RampartConfig>
> >
> > This works fine, and the correct certificates/keys are included in
> > rampart, but I can't work out how, in code, to get the filenames
listed
> > in policy.xml. This is why I mention neethi -- I want to be able to
> > access some of the information in that loaded policy, but I can't
seem
> > to work out the correct way of doing so.
> >
> > In pseudo-code, this is what I'd like to be able to do:
> > neethi_policy_t* policy = neethi_util_create_policy_from_file(
axisEnv,
> > filename );
> Security policy extension creates a secpolicy object from this policy
> object using rp_secpolicy_builder_build() method in
> neethi/secpolicy/builder/secpolicy_builder.c
>
> Then this secpolicy is stored in a struct called rampart_context which
> keeps all the rampart configurations.
>
> >
> > ///*************** This line is what I need to be able to do********
> > char* certFilename = get_certificate_filename_from_policy( policy );
> > ///*****************************************************************
> So to get the certFilename you need to call the following function in
> the rampart context.(rampart/src/util/rampart_context.c)
> rampart_context_get_certificate_file()
>
>
> > X509* cert;
> > openssl_x509_load_from_pem( axisEnv, certFilename, &cert );
> >
> > Thanks,
> > Jamie
> >
> > > -----Original Message-----
> > > From: Manjula Peiris [mailto:manjula@wso2.com]
> > > Sent: 14 August 2007 12:21
> > > To: Apache AXIS C User List
> > > Subject: RE: [Rampart/C | Neethi/C] Possible to get the
> > > currentx509security certificate from a policy?
> > >
> > > On Tue, 2007-08-14 at 09:34 +0100, Jamie Lyon wrote:
> > >
> > > Hi Jamie,
> > >
> > > Neethi/C Security policy extension is for building and ordering
the
> > > security header. It has nothing to do with the content of the
payload.
> > > So in your requirement to include the security token in the
payload
> > You
> > > need to do it in your own. You can use OpenSSL directly to read
from
> > > certficate or can use methods in rampart/src/omxmlsec/openssl
> > > seperately. please see rampart/src/omxmlsec/openssl/x509.C to get
an
> > > idea of using openssl functions.
> > >
> > > Thanks
> > > -Manjula.
> > >
> > >
> > >
> > > > Sorry for not being overly clear.
> > > >
> > > > Basically I've loaded a policy using:
> > > > neethi_policy* policy = neethi_util_create_policy_from_file(
> > axisEnv,
> > > > fileName );
> > > >
> > > > Then applied it to the service client using:
> > > > axis2_svc_client_set_policy( svcClient, axisEnv, policy );
> > > >
> > > > Now if possible I would like to be able to get the OpenSSL
> > structures
> > > > (i.e. the struct named 'X509'); or just some way of obtaining
the
> > > > subject DN and certificate string from the certificate in that
> > policy.
> > > >
> > > > I suppose the filename of that certificate would also suffice,
as I
> > > > could then load it in manually, though a pre-loaded one would be
> > > > preferable.
> > > >
> > > > The ultimate goal is to access the current security token to
include
> > it
> > > > in my message payload (not as part of the security header, or
> > > > ws-security, which is why I was wary about mentioning rampart).
> > > >
> > > > Hopefully that clears things up :)
> > > >
> > > > Cheers,
> > > > Jamie
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Manjula Peiris [mailto:manjula@wso2.com]
> > > > > Sent: 14 August 2007 05:01
> > > > > To: Apache AXIS C User List
> > > > > Subject: Re: [Rampart/C | Neethi/C] Possible to get the
current
> > > > > x509security certificate from a policy?
> > > > >
> > > > > Hi Jamie,
> > > > >
> > > > > Please see my comments inline. BTW Your requirement is not
very
> > clear.
> > > > > Can you please emphasize more on this.
> > > > >
> > > > >
> > > > > On Mon, 2007-08-13 at 16:51 +0100, Jamie Lyon wrote:
> > > > > > Hi,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Is it possible to get the OpenSSL construct (or some other
form)
> > of
> > > > > > policy out of the current neethi policy?
> > > > > OpenSSL functions are called from Rampart/C, not through
Neethi.
> > Here
> > > > > what do You mean by OpenSSL construct of policy?
> > > > >
> > > > >
> > > > > > I'm basically trying to get the subjectDN and base64 encoded
> > cert to
> > > > > > include in my message. I can encode the data to a base64
string
> > from
> > > > a
> > > > > > char array, so no worries there, so long as I can somehow
access
> > the
> > > > > > data.
> > > > > If you have the buffer containing the base64 string of the key
you
> > can
> > > > > attached it to the message by setting it in the
rampart_context.
> > You
> > > > can
> > > > > use the following functions,
> > > > >
> > > > > rampart_context_set_certificate() and
> > > > > rampart_context_set_certificate_type.
> > > > >
> > > > > But to do this you need to create a rampart_context outside of
> > rampart
> > > > > and set it as a value in a axis2_parameter called
> > > > RAMPART_CONFIGURATION.
> > > > > Otherwise you need to change the code.
> > > > >
> > > > > -Manjula
> > > > > >
> > > > > >
> > > > > >
> > > > > > Any suggestions are highly welcome.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Cheers,
> > > > > > Jamie
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> >
---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > > > > For additional commands, e-mail:
axis-c-user-help@ws.apache.org
> > > >
> > > >
> > > >
> >
---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> > > >
> > >
> > >
> > >
---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
RE: [Rampart/C | Neethi/C] Possible to get the currentx509security
certificate from a policy?
Posted by Manjula Peiris <ma...@wso2.com>.
Hi Jamie,
See my comments in line.
On Tue, 2007-08-14 at 12:38 +0100, Jamie Lyon wrote:
> Thanks, that part is fine -- there's some very useful helper functions
> there.
>
> My primary question however is that in my policy.xml I've got:
> <rampc:RampartConfig
> xmlns:rampc="http://ws.apache.org/rampart/c/policy">
> <rampc:Certificate>/my/path/mycert.pem</rampc:Certificate>
> <rampc:PrivateKey>/my/path/mykey.pem</rampc:PrivateKey>
> </rampc:RampartConfig>
>
> This works fine, and the correct certificates/keys are included in
> rampart, but I can't work out how, in code, to get the filenames listed
> in policy.xml. This is why I mention neethi -- I want to be able to
> access some of the information in that loaded policy, but I can't seem
> to work out the correct way of doing so.
>
> In pseudo-code, this is what I'd like to be able to do:
> neethi_policy_t* policy = neethi_util_create_policy_from_file( axisEnv,
> filename );
Security policy extension creates a secpolicy object from this policy
object using rp_secpolicy_builder_build() method in
neethi/secpolicy/builder/secpolicy_builder.c
Then this secpolicy is stored in a struct called rampart_context which
keeps all the rampart configurations.
>
> ///*************** This line is what I need to be able to do********
> char* certFilename = get_certificate_filename_from_policy( policy );
> ///*****************************************************************
So to get the certFilename you need to call the following function in
the rampart context.(rampart/src/util/rampart_context.c)
rampart_context_get_certificate_file()
> X509* cert;
> openssl_x509_load_from_pem( axisEnv, certFilename, &cert );
>
> Thanks,
> Jamie
>
> > -----Original Message-----
> > From: Manjula Peiris [mailto:manjula@wso2.com]
> > Sent: 14 August 2007 12:21
> > To: Apache AXIS C User List
> > Subject: RE: [Rampart/C | Neethi/C] Possible to get the
> > currentx509security certificate from a policy?
> >
> > On Tue, 2007-08-14 at 09:34 +0100, Jamie Lyon wrote:
> >
> > Hi Jamie,
> >
> > Neethi/C Security policy extension is for building and ordering the
> > security header. It has nothing to do with the content of the payload.
> > So in your requirement to include the security token in the payload
> You
> > need to do it in your own. You can use OpenSSL directly to read from
> > certficate or can use methods in rampart/src/omxmlsec/openssl
> > seperately. please see rampart/src/omxmlsec/openssl/x509.C to get an
> > idea of using openssl functions.
> >
> > Thanks
> > -Manjula.
> >
> >
> >
> > > Sorry for not being overly clear.
> > >
> > > Basically I've loaded a policy using:
> > > neethi_policy* policy = neethi_util_create_policy_from_file(
> axisEnv,
> > > fileName );
> > >
> > > Then applied it to the service client using:
> > > axis2_svc_client_set_policy( svcClient, axisEnv, policy );
> > >
> > > Now if possible I would like to be able to get the OpenSSL
> structures
> > > (i.e. the struct named 'X509'); or just some way of obtaining the
> > > subject DN and certificate string from the certificate in that
> policy.
> > >
> > > I suppose the filename of that certificate would also suffice, as I
> > > could then load it in manually, though a pre-loaded one would be
> > > preferable.
> > >
> > > The ultimate goal is to access the current security token to include
> it
> > > in my message payload (not as part of the security header, or
> > > ws-security, which is why I was wary about mentioning rampart).
> > >
> > > Hopefully that clears things up :)
> > >
> > > Cheers,
> > > Jamie
> > >
> > >
> > > > -----Original Message-----
> > > > From: Manjula Peiris [mailto:manjula@wso2.com]
> > > > Sent: 14 August 2007 05:01
> > > > To: Apache AXIS C User List
> > > > Subject: Re: [Rampart/C | Neethi/C] Possible to get the current
> > > > x509security certificate from a policy?
> > > >
> > > > Hi Jamie,
> > > >
> > > > Please see my comments inline. BTW Your requirement is not very
> clear.
> > > > Can you please emphasize more on this.
> > > >
> > > >
> > > > On Mon, 2007-08-13 at 16:51 +0100, Jamie Lyon wrote:
> > > > > Hi,
> > > > >
> > > > >
> > > > >
> > > > > Is it possible to get the OpenSSL construct (or some other form)
> of
> > > > > policy out of the current neethi policy?
> > > > OpenSSL functions are called from Rampart/C, not through Neethi.
> Here
> > > > what do You mean by OpenSSL construct of policy?
> > > >
> > > >
> > > > > I'm basically trying to get the subjectDN and base64 encoded
> cert to
> > > > > include in my message. I can encode the data to a base64 string
> from
> > > a
> > > > > char array, so no worries there, so long as I can somehow access
> the
> > > > > data.
> > > > If you have the buffer containing the base64 string of the key you
> can
> > > > attached it to the message by setting it in the rampart_context.
> You
> > > can
> > > > use the following functions,
> > > >
> > > > rampart_context_set_certificate() and
> > > > rampart_context_set_certificate_type.
> > > >
> > > > But to do this you need to create a rampart_context outside of
> rampart
> > > > and set it as a value in a axis2_parameter called
> > > RAMPART_CONFIGURATION.
> > > > Otherwise you need to change the code.
> > > >
> > > > -Manjula
> > > > >
> > > > >
> > > > >
> > > > > Any suggestions are highly welcome.
> > > > >
> > > > >
> > > > >
> > > > > Cheers,
> > > > > Jamie
> > > > >
> > > > >
> > > >
> > > >
> > > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > > > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> > >
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-c-user-help@ws.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org
RE: [Rampart/C | Neethi/C] Possible to get the currentx509security certificate from a policy?
Posted by Jamie Lyon <jl...@it-innovation.soton.ac.uk>.
Thanks, that part is fine -- there's some very useful helper functions
there.
My primary question however is that in my policy.xml I've got:
<rampc:RampartConfig
xmlns:rampc="http://ws.apache.org/rampart/c/policy">
<rampc:Certificate>/my/path/mycert.pem</rampc:Certificate>
<rampc:PrivateKey>/my/path/mykey.pem</rampc:PrivateKey>
</rampc:RampartConfig>
This works fine, and the correct certificates/keys are included in
rampart, but I can't work out how, in code, to get the filenames listed
in policy.xml. This is why I mention neethi -- I want to be able to
access some of the information in that loaded policy, but I can't seem
to work out the correct way of doing so.
In pseudo-code, this is what I'd like to be able to do:
neethi_policy_t* policy = neethi_util_create_policy_from_file( axisEnv,
filename );
///*************** This line is what I need to be able to do********
char* certFilename = get_certificate_filename_from_policy( policy );
///*****************************************************************
X509* cert;
openssl_x509_load_from_pem( axisEnv, certFilename, &cert );
Thanks,
Jamie
> -----Original Message-----
> From: Manjula Peiris [mailto:manjula@wso2.com]
> Sent: 14 August 2007 12:21
> To: Apache AXIS C User List
> Subject: RE: [Rampart/C | Neethi/C] Possible to get the
> currentx509security certificate from a policy?
>
> On Tue, 2007-08-14 at 09:34 +0100, Jamie Lyon wrote:
>
> Hi Jamie,
>
> Neethi/C Security policy extension is for building and ordering the
> security header. It has nothing to do with the content of the payload.
> So in your requirement to include the security token in the payload
You
> need to do it in your own. You can use OpenSSL directly to read from
> certficate or can use methods in rampart/src/omxmlsec/openssl
> seperately. please see rampart/src/omxmlsec/openssl/x509.C to get an
> idea of using openssl functions.
>
> Thanks
> -Manjula.
>
>
>
> > Sorry for not being overly clear.
> >
> > Basically I've loaded a policy using:
> > neethi_policy* policy = neethi_util_create_policy_from_file(
axisEnv,
> > fileName );
> >
> > Then applied it to the service client using:
> > axis2_svc_client_set_policy( svcClient, axisEnv, policy );
> >
> > Now if possible I would like to be able to get the OpenSSL
structures
> > (i.e. the struct named 'X509'); or just some way of obtaining the
> > subject DN and certificate string from the certificate in that
policy.
> >
> > I suppose the filename of that certificate would also suffice, as I
> > could then load it in manually, though a pre-loaded one would be
> > preferable.
> >
> > The ultimate goal is to access the current security token to include
it
> > in my message payload (not as part of the security header, or
> > ws-security, which is why I was wary about mentioning rampart).
> >
> > Hopefully that clears things up :)
> >
> > Cheers,
> > Jamie
> >
> >
> > > -----Original Message-----
> > > From: Manjula Peiris [mailto:manjula@wso2.com]
> > > Sent: 14 August 2007 05:01
> > > To: Apache AXIS C User List
> > > Subject: Re: [Rampart/C | Neethi/C] Possible to get the current
> > > x509security certificate from a policy?
> > >
> > > Hi Jamie,
> > >
> > > Please see my comments inline. BTW Your requirement is not very
clear.
> > > Can you please emphasize more on this.
> > >
> > >
> > > On Mon, 2007-08-13 at 16:51 +0100, Jamie Lyon wrote:
> > > > Hi,
> > > >
> > > >
> > > >
> > > > Is it possible to get the OpenSSL construct (or some other form)
of
> > > > policy out of the current neethi policy?
> > > OpenSSL functions are called from Rampart/C, not through Neethi.
Here
> > > what do You mean by OpenSSL construct of policy?
> > >
> > >
> > > > I'm basically trying to get the subjectDN and base64 encoded
cert to
> > > > include in my message. I can encode the data to a base64 string
from
> > a
> > > > char array, so no worries there, so long as I can somehow access
the
> > > > data.
> > > If you have the buffer containing the base64 string of the key you
can
> > > attached it to the message by setting it in the rampart_context.
You
> > can
> > > use the following functions,
> > >
> > > rampart_context_set_certificate() and
> > > rampart_context_set_certificate_type.
> > >
> > > But to do this you need to create a rampart_context outside of
rampart
> > > and set it as a value in a axis2_parameter called
> > RAMPART_CONFIGURATION.
> > > Otherwise you need to change the code.
> > >
> > > -Manjula
> > > >
> > > >
> > > >
> > > > Any suggestions are highly welcome.
> > > >
> > > >
> > > >
> > > > Cheers,
> > > > Jamie
> > > >
> > > >
> > >
> > >
> > >
---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-c-user-help@ws.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-c-user-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org