You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by he...@alice.it on 2006/06/19 00:53:46 UTC
[WSS4J 1.5] Verify signature of Certificate Authority in a x509 certificate inserted as security token
Hi All,
I've created a soap message then I've signed it with this method:
/*************************************
public class signer2 {
public static void main(String arg[]){
try{
KeyStore ks = KeyStore.getInstance("PKCS12");
InputStream in = new FileInputStream("e://x509pri.p12");
ks.load(in, "1234567890".toCharArray());
Enumeration aliases = ks.aliases();
String alias=null;
while(aliases.hasMoreElements())
{
alias = (String)aliases.nextElement();
System.out.println(alias);
}
SOAPMessage signedSOAPMsg=null;
//Crea message factory
MessageFactory messageFactory = MessageFactory.newInstance();
// Creazione di un messaggio
//Il metodo createMessage() si occupa di definire un nuovo messaggio
//vuoto costituito da un blocco principale (la "part") a cui
//opzionalmente sarà possibile aggiungere una o più attachments.
//Per valorizzare correttamente il messaggio, é necessario accedere
//all'envelope, passando dalla "part":
SOAPMessage message = messageFactory.createMessage();
SOAPEnvelope env= new SOAPEnvelope();
SOAPHeader hdr = env.getHeader();
SOAPBody bdy = env.getBody();
Message axisMessage = new Message(env,null);
SOAPEnvelope unsignedEnvelope = axisMessage.getSOAPEnvelope();
Document doc = unsignedEnvelope.getAsDocument();
System.out.println(message);
//System.out.println(message);
// WSSignEnvelope firma un SOAP envelope in accordo con
// WS Specification (X509 profile) e agginge il dato
// all'envelope.
WSSecSignature signer = new WSSecSignature();
String password = "1234567890";
signer.setUserInfo(alias, password);
// create a vector of WSEncryptPart parts to sign, both the soap body
//and the attachments
SOAPConstants soapConstants =WSSecurityUtil.getSOAPConstants(unsignedEnvelope);
Vector parts = new Vector();
// add the body part
String localPart = soapConstants.getBodyQName().getLocalPart();
String envelopeURI = soapConstants.getEnvelopeURI();
WSEncryptionPart body = new WSEncryptionPart(localPart, envelopeURI, "Content");
parts.add(body);
System.out.println(body);
// how to add the attachment part?????
signer.setParts(parts);
// The "build" method, creates the signed SOAP envelope.
// It takes a SOAP Envelope as a W3C Document and adds
// a WSS Signature header to it. The signed elements
// depend on the signature parts that are specified by
// the WSBaseMessage.setParts(java.util.Vector parts)
// method. By default, SOAP Body is signed.
// The "crypto" parameter is the object that implements
// access to the keystore and handling of certificates.
// A default implementation is included:
// org.apache.ws.security.components.crypto.Merlin
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Document signedDoc = signer.build(doc, CryptoFactory.getInstance(),secHeader);
System.out.println("il messaggio è stato creato e firmato correttamente");
verify(signedDoc);
// Convert the signed document into a SOAP message.
signedSOAPMsg = toSOAPMessage(signedDoc);
System.out.println(signedSOAPMsg);
} catch (Exception e) {
e.printStackTrace();
}
}
public static SOAPMessage toSOAPMessage(Document doc) throws Exception {
Canonicalizer c14n =Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS);
byte[] canonicalMessage = c14n.canonicalizeSubtree(doc);
ByteArrayInputStream in = new ByteArrayInputStream(canonicalMessage);
MessageFactory factory = MessageFactory.newInstance();
return factory.createMessage(null, in);
}
}
***************************************************/
Now I've created a method that check sign of my soap messagge, this is the code:
/***********************************
static final WSSecurityEngine secEngine = new WSSecurityEngine();
private static void verify(Document doc) throws Exception {
secEngine.processSecurityHeader(doc, null, null,CryptoFactory.getInstance() );
System.out.println("La firma del messaggio è valida");
}
*******************************/
But with this method I verify if the signature of the client is valid,
I've on my application server the x509 certificate of a CA and I want that when arrive the signedDoc message my app. server verify the signature of client and the signature of the CA that is in the x509 certificate, Is it possible with wss4j??
or I need to send with the signed soap message the certificate x509 of the client as attachement??
Thanks all for help.
Hermann
R: [WSS4J 1.5] Verify signature of Certificate Authority in a x509 certificate inserted as security token
Posted by Hermann <he...@alice.it>.
Hi Martin,
thanks for the example now I try it but I need some other help
1) how can I modify server deploy.wsdd in order to specify that the client
is using a binary security token?
2) <parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
I have to use this parameter or they aren't necessary for my application?
3)when I create client.wsdd I have to specify
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
</globalConfiguration >
</deployment>
or even WSDoAllReceive?
4)I want to add even the CRL file in my app.server I have to add it to the
keystore cacerts? And what is the method that when arrive the signedmessage
do all this contol, so that when arrive the signed soap message it verify
signature of client, signature of ca and verify if the certificate is
revoked?
Thank a lot for your help, I need this for my degree and sorry for all this
questions
Hermann
-----Messaggio originale-----
Da: Martin Kuba [mailto:makub@ics.muni.cz]
Inviato: lunedì 19 giugno 2006 10.59
A: hescot@alice.it
Cc: wss4j-dev@ws.apache.org
Oggetto: Re: [WSS4J 1.5] Verify signature of Certificate Authority in a x509
certificate inserted as security token
Hi Hermann,
for signing an outgoing message and then verifying both
unbroken signature and the acceptance of the signer, you don't
have to write any code, at least in Axis 1.4. I do the
following. I create a file name client-config.wsdd specifying signature
and verification:
(the name is important, otherwise you have to specify it using
-Daxis.ClientConfigFile=myfile.wsdd)
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="cryptoReceiver.properties" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>
The files cryptoSender.properties and cryptoReceiver.properties specify
the signing and verification. Their content should be in your case:
cryptoSender.properties:
------------------------
org.apache.ws.security.crypto.merlin.file=e://x509pri.p12
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=1234567890
cryptoReceiver.properties:
--------------------------
org.apache.ws.security.crypto.merlin.file=cacerts.jks
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=aaa
where the file cacerts.jks contains your accepted CAs, and can
be created using:
keytool -import -keystore cacerts.jks -file theCAcert.pem
And yes, you should send the x509 certificate of the
signer with the message, it si done by the config parameter
<parameter name="signatureKeyIdentifier" value="DirectReference" />
otherwise just the DN of the CA and serial number of the certificate is
sent, so the receiver would have to already have that certificate
to be able to verify the signature.
There is small issue with the "passwordCallbackClass" parameter,
I have found that it is needed for me, but others say that it is not
needed when using JKS keystores. The class should provide
passwords for private keys.
Hope this helps.
Martin
hescot@alice.it wrote:
>
> Hi All,
>
> I've created a soap message then I've signed it with this method:
>
> /*************************************
> public class signer2 {
>
> public static void main(String arg[]){
>
> try{
> KeyStore ks = KeyStore.getInstance("PKCS12");
> InputStream in = new
> FileInputStream("e://x509pri.p12");
> ks.load(in, "1234567890".toCharArray());
...
> But with this method I verify if the signature of the client is valid,
> I've on my application server the x509 certificate of a CA and I want
> that when arrive the signedDoc message my app. server verify the
> signature of client and the signature of the CA that is in the x509
> certificate, Is it possible with wss4j??
> or I need to send with the signed soap message the certificate x509 of
> the client as attachement??
>
> Thanks all for help.
>
> Hermann
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
R: [WSS4J 1.5] Verify signature of Certificate Authority in a x509 certificate inserted as security token
Posted by Hermann <he...@alice.it>.
Hi Martin,
thanks for the example now I try it but I need some other help
1) how can I modify server deploy.wsdd in order to specify that the client
is using a binary security token?
2) <parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
I have to use this parameter or they aren't necessary for my application?
3)when I create client.wsdd I have to specify
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
</globalConfiguration >
</deployment>
or even WSDoAllReceive?
4)I want to add even the CRL file in my app.server I have to add it to the
keystore cacerts? And what is the method that when arrive the signedmessage
do all this contol, so that when arrive the signed soap message it verify
signature of client, signature of ca and verify if the certificate is
revoked?
Thank a lot for your help, I need this for my degree and sorry for all this
questions
Hermann
-----Messaggio originale-----
Da: Martin Kuba [mailto:makub@ics.muni.cz]
Inviato: lunedì 19 giugno 2006 10.59
A: hescot@alice.it
Cc: wss4j-dev@ws.apache.org
Oggetto: Re: [WSS4J 1.5] Verify signature of Certificate Authority in a x509
certificate inserted as security token
Hi Hermann,
for signing an outgoing message and then verifying both
unbroken signature and the acceptance of the signer, you don't
have to write any code, at least in Axis 1.4. I do the
following. I create a file name client-config.wsdd specifying signature
and verification:
(the name is important, otherwise you have to specify it using
-Daxis.ClientConfigFile=myfile.wsdd)
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="cryptoReceiver.properties" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>
The files cryptoSender.properties and cryptoReceiver.properties specify
the signing and verification. Their content should be in your case:
cryptoSender.properties:
------------------------
org.apache.ws.security.crypto.merlin.file=e://x509pri.p12
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=1234567890
cryptoReceiver.properties:
--------------------------
org.apache.ws.security.crypto.merlin.file=cacerts.jks
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=aaa
where the file cacerts.jks contains your accepted CAs, and can
be created using:
keytool -import -keystore cacerts.jks -file theCAcert.pem
And yes, you should send the x509 certificate of the
signer with the message, it si done by the config parameter
<parameter name="signatureKeyIdentifier" value="DirectReference" />
otherwise just the DN of the CA and serial number of the certificate is
sent, so the receiver would have to already have that certificate
to be able to verify the signature.
There is small issue with the "passwordCallbackClass" parameter,
I have found that it is needed for me, but others say that it is not
needed when using JKS keystores. The class should provide
passwords for private keys.
Hope this helps.
Martin
hescot@alice.it wrote:
>
> Hi All,
>
> I've created a soap message then I've signed it with this method:
>
> /*************************************
> public class signer2 {
>
> public static void main(String arg[]){
>
> try{
> KeyStore ks = KeyStore.getInstance("PKCS12");
> InputStream in = new
> FileInputStream("e://x509pri.p12");
> ks.load(in, "1234567890".toCharArray());
...
> But with this method I verify if the signature of the client is valid,
> I've on my application server the x509 certificate of a CA and I want
> that when arrive the signedDoc message my app. server verify the
> signature of client and the signature of the CA that is in the x509
> certificate, Is it possible with wss4j??
> or I need to send with the signed soap message the certificate x509 of
> the client as attachement??
>
> Thanks all for help.
>
> Hermann
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: [WSS4J 1.5] Verify signature of Certificate Authority in a x509
certificate inserted as security token
Posted by Martin Kuba <ma...@ics.muni.cz>.
Hi Hermann,
for signing an outgoing message and then verifying both
unbroken signature and the acceptance of the signer, you don't
have to write any code, at least in Axis 1.4. I do the
following. I create a file name client-config.wsdd specifying signature
and verification:
(the name is important, otherwise you have to specify it using
-Daxis.ClientConfigFile=myfile.wsdd)
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="cryptoReceiver.properties" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>
The files cryptoSender.properties and cryptoReceiver.properties specify
the signing and verification. Their content should be in your case:
cryptoSender.properties:
------------------------
org.apache.ws.security.crypto.merlin.file=e://x509pri.p12
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=1234567890
cryptoReceiver.properties:
--------------------------
org.apache.ws.security.crypto.merlin.file=cacerts.jks
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=aaa
where the file cacerts.jks contains your accepted CAs, and can
be created using:
keytool -import -keystore cacerts.jks -file theCAcert.pem
And yes, you should send the x509 certificate of the
signer with the message, it si done by the config parameter
<parameter name="signatureKeyIdentifier" value="DirectReference" />
otherwise just the DN of the CA and serial number of the certificate is
sent, so the receiver would have to already have that certificate
to be able to verify the signature.
There is small issue with the "passwordCallbackClass" parameter,
I have found that it is needed for me, but others say that it is not
needed when using JKS keystores. The class should provide
passwords for private keys.
Hope this helps.
Martin
hescot@alice.it wrote:
>
> Hi All,
>
> I've created a soap message then I've signed it with this method:
>
> /*************************************
> public class signer2 {
>
> public static void main(String arg[]){
>
> try{
> KeyStore ks = KeyStore.getInstance("PKCS12");
> InputStream in = new
> FileInputStream("e://x509pri.p12");
> ks.load(in, "1234567890".toCharArray());
...
> But with this method I verify if the signature of the client is valid,
> I've on my application server the x509 certificate of a CA and I want
> that when arrive the signedDoc message my app. server verify the
> signature of client and the signature of the CA that is in the x509
> certificate, Is it possible with wss4j??
> or I need to send with the signed soap message the certificate x509 of
> the client as attachement??
>
> Thanks all for help.
>
> Hermann
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
Re: [WSS4J 1.5] Verify signature of Certificate Authority in a x509
certificate inserted as security token
Posted by Martin Kuba <ma...@ics.muni.cz>.
Hi Hermann,
for signing an outgoing message and then verifying both
unbroken signature and the acceptance of the signer, you don't
have to write any code, at least in Axis 1.4. I do the
following. I create a file name client-config.wsdd specifying signature
and verification:
(the name is important, otherwise you have to specify it using
-Daxis.ClientConfigFile=myfile.wsdd)
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="cryptoReceiver.properties" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>
The files cryptoSender.properties and cryptoReceiver.properties specify
the signing and verification. Their content should be in your case:
cryptoSender.properties:
------------------------
org.apache.ws.security.crypto.merlin.file=e://x509pri.p12
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=1234567890
cryptoReceiver.properties:
--------------------------
org.apache.ws.security.crypto.merlin.file=cacerts.jks
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=aaa
where the file cacerts.jks contains your accepted CAs, and can
be created using:
keytool -import -keystore cacerts.jks -file theCAcert.pem
And yes, you should send the x509 certificate of the
signer with the message, it si done by the config parameter
<parameter name="signatureKeyIdentifier" value="DirectReference" />
otherwise just the DN of the CA and serial number of the certificate is
sent, so the receiver would have to already have that certificate
to be able to verify the signature.
There is small issue with the "passwordCallbackClass" parameter,
I have found that it is needed for me, but others say that it is not
needed when using JKS keystores. The class should provide
passwords for private keys.
Hope this helps.
Martin
hescot@alice.it wrote:
>
> Hi All,
>
> I've created a soap message then I've signed it with this method:
>
> /*************************************
> public class signer2 {
>
> public static void main(String arg[]){
>
> try{
> KeyStore ks = KeyStore.getInstance("PKCS12");
> InputStream in = new
> FileInputStream("e://x509pri.p12");
> ks.load(in, "1234567890".toCharArray());
...
> But with this method I verify if the signature of the client is valid,
> I've on my application server the x509 certificate of a CA and I want
> that when arrive the signedDoc message my app. server verify the
> signature of client and the signature of the CA that is in the x509
> certificate, Is it possible with wss4j??
> or I need to send with the signed soap message the certificate x509 of
> the client as attachement??
>
> Thanks all for help.
>
> Hermann
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------