You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by ma...@yahoo.com.INVALID on 2017/11/09 17:23:11 UTC
.Net and CXF Incompatibility
Hi,
I am integrating WCF client with CXF web service using JAX-WS.
A certificate with issuer that includes an email option "E=email@email.com
<ma...@email.com> " is sent from the client to the server with the
issue name as part of the security header in the message.
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>E=email@email.com <ma...@email.com> ..
</X509IssuerName>
But X500Princpal.Java currently does not accept E as a valid type so the
request fails throwing an exception in X500Principal.java
java.io.IOException: Invalid keyword "E"
..NET WCF does not replace the issuer name in the header with an RDN -
1.2.840.113549.1.9.1 if it did that it should work.
But I am looking for a work around here. Has anyone ran into this issue?
Mark
RE: .Net and CXF Incompatibility
Posted by ma...@yahoo.com.INVALID.
I also tried configuring the bouncy castle to start at runtime and also listed it as a security provider with the java jre with no luck.
I can’t exactly see if that code is being called in intellij. It is giving some message where the byte code is different from the source code and the downloaded sources don’t match exactly.
The test case would be calling CXF from WCF and dictating a signed and encrypted data element configured with certificates that are issued by signing authority that has the E instead of EMAILADDRESS in the subject.
I will see if I can build a sample that does not have the business logic in it to reproduce this. But let me know if anything else rings a bell.
Thanks again!
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Friday, November 10, 2017 11:20 AM
To: markfuini@yahoo.com
Cc: users@cxf.apache.org
Subject: Re: .Net and CXF Incompatibility
No, I would have thought that should be enough. Do you have access to a debugger? If so can you see if the BouncyCastle parsing code is being called in Merlin? Failing that if you have a test-case I can take a look.
Colm.
On Fri, Nov 10, 2017 at 3:10 PM, <markfuini@yahoo.com <ma...@yahoo.com> > wrote:
I saw that comment in the source code but didn't get the full picture.
I tried this version of bouncy.
<!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.58</version>
</dependency>
With this CXF but it didn't seem to pick it up. Is there any other config that I missed?
Thank you! This would be a big lifesaver if it is working.
<apache.cxf.version>3.2.0</apache.cxf.version>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-spring-boot-starter-jaxws</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-ws-security -->
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-frontend-jaxws</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-transports-http</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org <ma...@apache.org> ]
Sent: Friday, November 10, 2017 4:51 AM
To: users@cxf.apache.org <ma...@cxf.apache.org>
Subject: Re: .Net and CXF Incompatibility
Apache WSS4J has special support to use BouncyCastle to parse the IssuerName, if BouncyCastle is available. See the comment here:
https://github.com/apache/wss4j/blob/b8d4f1b29e98c53edeb0ffdf1dc4a90382e9fd9e/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L943
So if BouncyCastle is added to your classpath it should hopefully work.
Colm.
On Thu, Nov 9, 2017 at 5:23 PM, <markfuini@yahoo.com.invalid <ma...@yahoo.com.invalid> > wrote:
> Hi,
>
>
>
> I am integrating WCF client with CXF web service using JAX-WS.
>
>
>
> A certificate with issuer that includes an email option
> "E=email@email.com <ma...@email.com> <mailto:E <mailto:E> =email@email.com <ma...@email.com> > " is sent from the
> client to the server with the issue name as part of the security
> header in the message.
>
>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig> ">
>
> <o:SecurityTokenReference>
>
> <X509Data>
>
> <X509IssuerSerial>
>
> <X509IssuerName>E=email@email.com <ma...@email.com> <mailto:E <mailto:E> =email@email.com <ma...@email.com> >
> ..
> </X509IssuerName>
>
>
>
> But X500Princpal.Java currently does not accept E as a valid type so
> the request fails throwing an exception in X500Principal.java
>
>
>
> java.io.IOException: Invalid keyword "E"
>
>
>
> ..NET WCF does not replace the issuer name in the header with an RDN -
> 1.2.840.113549.1.9.1 if it did that it should work.
>
>
>
> But I am looking for a work around here. Has anyone ran into this issue?
>
>
>
> Mark
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: .Net and CXF Incompatibility
Posted by Colm O hEigeartaigh <co...@apache.org>.
No, I would have thought that should be enough. Do you have access to a
debugger? If so can you see if the BouncyCastle parsing code is being
called in Merlin? Failing that if you have a test-case I can take a look.
Colm.
On Fri, Nov 10, 2017 at 3:10 PM, <ma...@yahoo.com> wrote:
> I saw that comment in the source code but didn't get the full picture.
>
> I tried this version of bouncy.
>
> <!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on
> -->
> <dependency>
> <groupId>org.bouncycastle</groupId>
> <artifactId>bcprov-jdk15on</artifactId>
> <version>1.58</version>
> </dependency>
>
> With this CXF but it didn't seem to pick it up. Is there any other config
> that I missed?
>
> Thank you! This would be a big lifesaver if it is working.
>
> <apache.cxf.version>3.2.0</apache.cxf.version>
>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-spring-boot-starter-jaxws</artifactId>
> <version>${apache.cxf.version}</version>
> </dependency>
> <!-- https://mvnrepository.com/artifact/org.apache.cxf/cxf-
> rt-ws-security -->
>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-ws-security</artifactId>
> <version>${apache.cxf.version}</version>
> </dependency>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-frontend-jaxws</artifactId>
> <version>${apache.cxf.version}</version>
> </dependency>
>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-transports-http</artifactId>
> <version>${apache.cxf.version}</version>
> </dependency>
>
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, November 10, 2017 4:51 AM
> To: users@cxf.apache.org
> Subject: Re: .Net and CXF Incompatibility
>
> Apache WSS4J has special support to use BouncyCastle to parse the
> IssuerName, if BouncyCastle is available. See the comment here:
>
> https://github.com/apache/wss4j/blob/b8d4f1b29e98c53edeb0ffdf1dc4a9
> 0382e9fd9e/ws-security-common/src/main/java/org/apache/
> wss4j/common/crypto/Merlin.java#L943
>
> So if BouncyCastle is added to your classpath it should hopefully work.
>
> Colm.
>
> On Thu, Nov 9, 2017 at 5:23 PM, <ma...@yahoo.com.invalid> wrote:
>
> > Hi,
> >
> >
> >
> > I am integrating WCF client with CXF web service using JAX-WS.
> >
> >
> >
> > A certificate with issuer that includes an email option
> > "E=email@email.com <ma...@email.com> " is sent from the
> > client to the server with the issue name as part of the security
> > header in the message.
> >
> >
> >
> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> >
> > <o:SecurityTokenReference>
> >
> > <X509Data>
> >
> > <X509IssuerSerial>
> >
> > <X509IssuerName>E=email@email.com <ma...@email.com>
> > ..
> > </X509IssuerName>
> >
> >
> >
> > But X500Princpal.Java currently does not accept E as a valid type so
> > the request fails throwing an exception in X500Principal.java
> >
> >
> >
> > java.io.IOException: Invalid keyword "E"
> >
> >
> >
> > ..NET WCF does not replace the issuer name in the header with an RDN -
> > 1.2.840.113549.1.9.1 if it did that it should work.
> >
> >
> >
> > But I am looking for a work around here. Has anyone ran into this issue?
> >
> >
> >
> > Mark
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: .Net and CXF Incompatibility
Posted by ma...@yahoo.com.INVALID.
I saw that comment in the source code but didn't get the full picture.
I tried this version of bouncy.
<!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.58</version>
</dependency>
With this CXF but it didn't seem to pick it up. Is there any other config that I missed?
Thank you! This would be a big lifesaver if it is working.
<apache.cxf.version>3.2.0</apache.cxf.version>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-spring-boot-starter-jaxws</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.cxf/cxf-rt-ws-security -->
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-frontend-jaxws</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-transports-http</artifactId>
<version>${apache.cxf.version}</version>
</dependency>
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Friday, November 10, 2017 4:51 AM
To: users@cxf.apache.org
Subject: Re: .Net and CXF Incompatibility
Apache WSS4J has special support to use BouncyCastle to parse the IssuerName, if BouncyCastle is available. See the comment here:
https://github.com/apache/wss4j/blob/b8d4f1b29e98c53edeb0ffdf1dc4a90382e9fd9e/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L943
So if BouncyCastle is added to your classpath it should hopefully work.
Colm.
On Thu, Nov 9, 2017 at 5:23 PM, <ma...@yahoo.com.invalid> wrote:
> Hi,
>
>
>
> I am integrating WCF client with CXF web service using JAX-WS.
>
>
>
> A certificate with issuer that includes an email option
> "E=email@email.com <ma...@email.com> " is sent from the
> client to the server with the issue name as part of the security
> header in the message.
>
>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <o:SecurityTokenReference>
>
> <X509Data>
>
> <X509IssuerSerial>
>
> <X509IssuerName>E=email@email.com <ma...@email.com>
> ..
> </X509IssuerName>
>
>
>
> But X500Princpal.Java currently does not accept E as a valid type so
> the request fails throwing an exception in X500Principal.java
>
>
>
> java.io.IOException: Invalid keyword "E"
>
>
>
> ..NET WCF does not replace the issuer name in the header with an RDN -
> 1.2.840.113549.1.9.1 if it did that it should work.
>
>
>
> But I am looking for a work around here. Has anyone ran into this issue?
>
>
>
> Mark
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: .Net and CXF Incompatibility
Posted by Colm O hEigeartaigh <co...@apache.org>.
Apache WSS4J has special support to use BouncyCastle to parse the
IssuerName, if BouncyCastle is available. See the comment here:
https://github.com/apache/wss4j/blob/b8d4f1b29e98c53edeb0ffdf1dc4a90382e9fd9e/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L943
So if BouncyCastle is added to your classpath it should hopefully work.
Colm.
On Thu, Nov 9, 2017 at 5:23 PM, <ma...@yahoo.com.invalid> wrote:
> Hi,
>
>
>
> I am integrating WCF client with CXF web service using JAX-WS.
>
>
>
> A certificate with issuer that includes an email option "E=email@email.com
> <ma...@email.com> " is sent from the client to the server with
> the
> issue name as part of the security header in the message.
>
>
>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <o:SecurityTokenReference>
>
> <X509Data>
>
> <X509IssuerSerial>
>
> <X509IssuerName>E=email@email.com <ma...@email.com>
> ..
> </X509IssuerName>
>
>
>
> But X500Princpal.Java currently does not accept E as a valid type so the
> request fails throwing an exception in X500Principal.java
>
>
>
> java.io.IOException: Invalid keyword "E"
>
>
>
> ..NET WCF does not replace the issuer name in the header with an RDN -
> 1.2.840.113549.1.9.1 if it did that it should work.
>
>
>
> But I am looking for a work around here. Has anyone ran into this issue?
>
>
>
> Mark
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com