You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Ed Sweet <ed...@gmail.com> on 2006/08/09 12:29:44 UTC

Basic Question: Keystore Setup

Hi,

Sorry if this is the wrong place to post a newbie question regarding the
setup of WSS4J - please direct me to a users list rather than dev list if
one exists.

I'd like to use WSS4J to sign and encrypt POX messages, I'm not using Axis
or SOAP. So I'm just getting into WSS4J and am trying to setup a keystore as
required by crypto.properties. I've used the procedure at the end of the
email to create a jks keystore, as this is the procedure I use to create a
working keystore for Tomcat (I guess it's the same procedure...)

Then, I've written a simple app to sign a static xml string, that goes
something like this:

// setup
Crypto crypto = CryptoFactory.getInstance();
Document doc = ...

// sign document
WSSecSignature wsSecSignature = new WSSecSignature();
Document signed = wsSecSignature.build(doc, crypto, new WSSecHeader());

When I run this, I get the following exception:

Exception in thread "main" java.lang.NullPointerException
    at sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java
:40)
    at sun.security.provider.JavaKeyStore.engineGetCertificateChain(
JavaKeyStore.java:135)
    at java.security.KeyStore.getCertificateChain(KeyStore.java:756)
    at
org.apache.ws.security.components.crypto.AbstractCrypto.getCertificates(
AbstractCrypto.java:407)
    at org.apache.ws.security.message.WSSecSignature.prepare(
WSSecSignature.java:272)
    at org.apache.ws.security.message.WSSecSignature.build(
WSSecSignature.java:643)
    at test.Test.main(Test.java:xxx)

The NullPointerException when trying to 'convertAlias' seems to imply
there's something wrong with the keystore. The alias in the keystore and the
crypto.properties file match, so I'm stumped.

I'm very grateful of any help/advice you can offer. If this is a
stupid/basic question then I appologise in advance.

Thanks,

Ed.

====================

Keystore procedure:

1) From a .pem format key, cert and CA cert, create the keystore:

openssl pkcs12 -export -in cert.pem -inkey key.pem \\
     -out store.p12 -name myAlias -CAfile cacrt.pem -caname root -chain

2) Convert the .p12 keystore to .jks format using:

org.mortbay.util.PKCS12Import store.p12 store.jks

3) Add the CA cert as a trusted CA cert.

keytool -import -trustcacerts -alias "CA Cert" -file cacrt.pem -keystore
store.jks

Re: Basic Question: Keystore Setup

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi Ed,

On 8/9/06, Ed Sweet <ed...@gmail.com> wrote:
> Hi Ruchith,
>
> Thanks for the reply and your advice.
>
> I used setUserInfo() and this worked (well, it threw another exception, but
> not the same one as before), so this looks like this issue has been fixed.
> It's strange that you have to set the alias twice though, so I did a quick
> test. You can leave ' keystore.alias' and 'alias.password' blank in
> crypto.properties and this still works. I'd rather set it all in one place
> though...

I'm not sure WSS4J (Merlin crypto impl) recognises the alias.password
property you mentioned.

But org.apache.ws.security.crypto.merlin.keystore.aliass used as an
optional key that can be specified by the user. This will be used as
the key when a reference to the key cannot be found in the incoming
message (Security header) to decrypt or verify signature. In the case
where its used to decrypt the password much be supplied though the
callback handler.

Thanks,
Ruchith

-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Basic Question: Keystore Setup

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi Ed,

On 8/9/06, Ed Sweet <ed...@gmail.com> wrote:
> Hi Ruchith,
>
> Thanks for the reply and your advice.
>
> I used setUserInfo() and this worked (well, it threw another exception, but
> not the same one as before), so this looks like this issue has been fixed.
> It's strange that you have to set the alias twice though, so I did a quick
> test. You can leave ' keystore.alias' and 'alias.password' blank in
> crypto.properties and this still works. I'd rather set it all in one place
> though...

I'm not sure WSS4J (Merlin crypto impl) recognises the alias.password
property you mentioned.

But org.apache.ws.security.crypto.merlin.keystore.aliass used as an
optional key that can be specified by the user. This will be used as
the key when a reference to the key cannot be found in the incoming
message (Security header) to decrypt or verify signature. In the case
where its used to decrypt the password much be supplied though the
callback handler.

Thanks,
Ruchith

-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Basic Question: Keystore Setup

Posted by Ed Sweet <ed...@gmail.com>.

Hi Ruchith,

Thanks for the reply and your advice.

I used setUserInfo() and this worked (well, it threw another exception, but
not the same one as before), so this looks like this issue has been fixed.
It's strange that you have to set the alias twice though, so I did a quick
test. You can leave 'keystore.alias' and 'alias.password' blank in
crypto.properties and this still works. I'd rather set it all in one place
though...

Thanks for the links and reference to xmlsec - I'll check them out.

Ed.


On 09/08/06, Ruchith Fernando <ru...@gmail.com> wrote:
>
> Hi Ed,
>
> What is the alias of your private key. This should be available in the
> keystore.
> you have to set the private key alias along with its password in the
> WSSecSignature instance. as shown below:
>
> wsSecSignature.setUserInfo("privateKeyAlias", "privateKeyPasswd");
>
> BTW if you want to encrypt/sign POX then you can directly use the
> XML-Sec library. Also you can find a detailed tutorial on setting up
> keystores for a typical service and a client here [1]
>
> Thanks,
> Ruchith
>
> [1] http://www.wso2.net/tutorials/wss4j/2006/06/15/setting-up-keystores
>
> On 8/9/06, Ed Sweet <ed...@gmail.com> wrote:
> > Hi,
> >
> > Sorry if this is the wrong place to post a newbie question regarding the
> > setup of WSS4J - please direct me to a users list rather than dev list
> if
> > one exists.
> >
> > I'd like to use WSS4J to sign and encrypt POX messages, I'm not using
> Axis
> > or SOAP. So I'm just getting into WSS4J and am trying to setup a
> keystore as
> > required by crypto.properties. I've used the procedure at the end of the
> > email to create a jks keystore, as this is the procedure I use to create
> a
> > working keystore for Tomcat (I guess it's the same procedure...)
> >
> > Then, I've written a simple app to sign a static xml string, that goes
> > something like this:
> >
> > // setup
> > Crypto crypto = CryptoFactory.getInstance();
> > Document doc = ...
> >
> > // sign document
> > WSSecSignature wsSecSignature = new WSSecSignature();
> > Document signed = wsSecSignature.build(doc, crypto, new WSSecHeader());
> >
> > When I run this, I get the following exception:
> >
> > Exception in thread "main" java.lang.NullPointerException
> >     at
> > sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java
> :40)
> >     at
> > sun.security.provider.JavaKeyStore.engineGetCertificateChain(
> JavaKeyStore.java:135)
> >     at
> > java.security.KeyStore.getCertificateChain(KeyStore.java:756)
> >     at
> > org.apache.ws.security.components.crypto.AbstractCrypto.getCertificates
> > (AbstractCrypto.java:407)
> >     at
> > org.apache.ws.security.message.WSSecSignature.prepare(
> WSSecSignature.java:272)
> >     at
> > org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java
> :643)
> >     at test.Test.main (Test.java:xxx)
> >
> > The NullPointerException when trying to 'convertAlias' seems to imply
> > there's something wrong with the keystore. The alias in the keystore and
> the
> > crypto.properties file match, so I'm stumped.
> >
> >  I'm very grateful of any help/advice you can offer. If this is a
> > stupid/basic question then I appologise in advance.
> >
> > Thanks,
> >
> > Ed.
> >
> > ====================
> >
> > Keystore procedure:
> >
> > 1) From a .pem format key, cert and CA cert, create the keystore:
> >
> > openssl pkcs12 -export -in cert.pem -inkey key.pem \\
> >      -out store.p12 -name myAlias -CAfile cacrt.pem -caname root -chain
> >
> > 2) Convert the .p12 keystore to .jks format using:
> >
> > org.mortbay.util.PKCS12Import store.p12 store.jks
> >
> > 3) Add the CA cert as a trusted CA cert.
> >
> > keytool -import -trustcacerts -alias "CA Cert" -file cacrt.pem -keystore
> > store.jks
> >
> >
>
>
> --
> www.ruchith.org
>

Re: Basic Question: Keystore Setup

Posted by Ed Sweet <ed...@gmail.com>.

Hi Ruchith,

Thanks for the reply and your advice.

I used setUserInfo() and this worked (well, it threw another exception, but
not the same one as before), so this looks like this issue has been fixed.
It's strange that you have to set the alias twice though, so I did a quick
test. You can leave 'keystore.alias' and 'alias.password' blank in
crypto.properties and this still works. I'd rather set it all in one place
though...

Thanks for the links and reference to xmlsec - I'll check them out.

Ed.


On 09/08/06, Ruchith Fernando <ru...@gmail.com> wrote:
>
> Hi Ed,
>
> What is the alias of your private key. This should be available in the
> keystore.
> you have to set the private key alias along with its password in the
> WSSecSignature instance. as shown below:
>
> wsSecSignature.setUserInfo("privateKeyAlias", "privateKeyPasswd");
>
> BTW if you want to encrypt/sign POX then you can directly use the
> XML-Sec library. Also you can find a detailed tutorial on setting up
> keystores for a typical service and a client here [1]
>
> Thanks,
> Ruchith
>
> [1] http://www.wso2.net/tutorials/wss4j/2006/06/15/setting-up-keystores
>
> On 8/9/06, Ed Sweet <ed...@gmail.com> wrote:
> > Hi,
> >
> > Sorry if this is the wrong place to post a newbie question regarding the
> > setup of WSS4J - please direct me to a users list rather than dev list
> if
> > one exists.
> >
> > I'd like to use WSS4J to sign and encrypt POX messages, I'm not using
> Axis
> > or SOAP. So I'm just getting into WSS4J and am trying to setup a
> keystore as
> > required by crypto.properties. I've used the procedure at the end of the
> > email to create a jks keystore, as this is the procedure I use to create
> a
> > working keystore for Tomcat (I guess it's the same procedure...)
> >
> > Then, I've written a simple app to sign a static xml string, that goes
> > something like this:
> >
> > // setup
> > Crypto crypto = CryptoFactory.getInstance();
> > Document doc = ...
> >
> > // sign document
> > WSSecSignature wsSecSignature = new WSSecSignature();
> > Document signed = wsSecSignature.build(doc, crypto, new WSSecHeader());
> >
> > When I run this, I get the following exception:
> >
> > Exception in thread "main" java.lang.NullPointerException
> >     at
> > sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java
> :40)
> >     at
> > sun.security.provider.JavaKeyStore.engineGetCertificateChain(
> JavaKeyStore.java:135)
> >     at
> > java.security.KeyStore.getCertificateChain(KeyStore.java:756)
> >     at
> > org.apache.ws.security.components.crypto.AbstractCrypto.getCertificates
> > (AbstractCrypto.java:407)
> >     at
> > org.apache.ws.security.message.WSSecSignature.prepare(
> WSSecSignature.java:272)
> >     at
> > org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java
> :643)
> >     at test.Test.main (Test.java:xxx)
> >
> > The NullPointerException when trying to 'convertAlias' seems to imply
> > there's something wrong with the keystore. The alias in the keystore and
> the
> > crypto.properties file match, so I'm stumped.
> >
> >  I'm very grateful of any help/advice you can offer. If this is a
> > stupid/basic question then I appologise in advance.
> >
> > Thanks,
> >
> > Ed.
> >
> > ====================
> >
> > Keystore procedure:
> >
> > 1) From a .pem format key, cert and CA cert, create the keystore:
> >
> > openssl pkcs12 -export -in cert.pem -inkey key.pem \\
> >      -out store.p12 -name myAlias -CAfile cacrt.pem -caname root -chain
> >
> > 2) Convert the .p12 keystore to .jks format using:
> >
> > org.mortbay.util.PKCS12Import store.p12 store.jks
> >
> > 3) Add the CA cert as a trusted CA cert.
> >
> > keytool -import -trustcacerts -alias "CA Cert" -file cacrt.pem -keystore
> > store.jks
> >
> >
>
>
> --
> www.ruchith.org
>

Re: Basic Question: Keystore Setup

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi Ed,

What is the alias of your private key. This should be available in the keystore.
you have to set the private key alias along with its password in the
WSSecSignature instance. as shown below:

wsSecSignature.setUserInfo("privateKeyAlias", "privateKeyPasswd");

BTW if you want to encrypt/sign POX then you can directly use the
XML-Sec library. Also you can find a detailed tutorial on setting up
keystores for a typical service and a client here [1]

Thanks,
Ruchith

[1] http://www.wso2.net/tutorials/wss4j/2006/06/15/setting-up-keystores

On 8/9/06, Ed Sweet <ed...@gmail.com> wrote:
> Hi,
>
> Sorry if this is the wrong place to post a newbie question regarding the
> setup of WSS4J - please direct me to a users list rather than dev list if
> one exists.
>
> I'd like to use WSS4J to sign and encrypt POX messages, I'm not using Axis
> or SOAP. So I'm just getting into WSS4J and am trying to setup a keystore as
> required by crypto.properties. I've used the procedure at the end of the
> email to create a jks keystore, as this is the procedure I use to create a
> working keystore for Tomcat (I guess it's the same procedure...)
>
> Then, I've written a simple app to sign a static xml string, that goes
> something like this:
>
> // setup
> Crypto crypto = CryptoFactory.getInstance();
> Document doc = ...
>
> // sign document
> WSSecSignature wsSecSignature = new WSSecSignature();
> Document signed = wsSecSignature.build(doc, crypto, new WSSecHeader());
>
> When I run this, I get the following exception:
>
> Exception in thread "main" java.lang.NullPointerException
>     at
> sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:40)
>     at
> sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:135)
>     at
> java.security.KeyStore.getCertificateChain(KeyStore.java:756)
>     at
> org.apache.ws.security.components.crypto.AbstractCrypto.getCertificates
> (AbstractCrypto.java:407)
>     at
> org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:272)
>     at
> org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:643)
>     at test.Test.main (Test.java:xxx)
>
> The NullPointerException when trying to 'convertAlias' seems to imply
> there's something wrong with the keystore. The alias in the keystore and the
> crypto.properties file match, so I'm stumped.
>
>  I'm very grateful of any help/advice you can offer. If this is a
> stupid/basic question then I appologise in advance.
>
> Thanks,
>
> Ed.
>
> ====================
>
> Keystore procedure:
>
> 1) From a .pem format key, cert and CA cert, create the keystore:
>
> openssl pkcs12 -export -in cert.pem -inkey key.pem \\
>      -out store.p12 -name myAlias -CAfile cacrt.pem -caname root -chain
>
> 2) Convert the .p12 keystore to .jks format using:
>
> org.mortbay.util.PKCS12Import store.p12 store.jks
>
> 3) Add the CA cert as a trusted CA cert.
>
> keytool -import -trustcacerts -alias "CA Cert" -file cacrt.pem -keystore
> store.jks
>
>


-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Basic Question: Keystore Setup

Posted by Ruchith Fernando <ru...@gmail.com>.

Hi Ed,

What is the alias of your private key. This should be available in the keystore.
you have to set the private key alias along with its password in the
WSSecSignature instance. as shown below:

wsSecSignature.setUserInfo("privateKeyAlias", "privateKeyPasswd");

BTW if you want to encrypt/sign POX then you can directly use the
XML-Sec library. Also you can find a detailed tutorial on setting up
keystores for a typical service and a client here [1]

Thanks,
Ruchith

[1] http://www.wso2.net/tutorials/wss4j/2006/06/15/setting-up-keystores

On 8/9/06, Ed Sweet <ed...@gmail.com> wrote:
> Hi,
>
> Sorry if this is the wrong place to post a newbie question regarding the
> setup of WSS4J - please direct me to a users list rather than dev list if
> one exists.
>
> I'd like to use WSS4J to sign and encrypt POX messages, I'm not using Axis
> or SOAP. So I'm just getting into WSS4J and am trying to setup a keystore as
> required by crypto.properties. I've used the procedure at the end of the
> email to create a jks keystore, as this is the procedure I use to create a
> working keystore for Tomcat (I guess it's the same procedure...)
>
> Then, I've written a simple app to sign a static xml string, that goes
> something like this:
>
> // setup
> Crypto crypto = CryptoFactory.getInstance();
> Document doc = ...
>
> // sign document
> WSSecSignature wsSecSignature = new WSSecSignature();
> Document signed = wsSecSignature.build(doc, crypto, new WSSecHeader());
>
> When I run this, I get the following exception:
>
> Exception in thread "main" java.lang.NullPointerException
>     at
> sun.security.provider.JavaKeyStore$JKS.convertAlias(JavaKeyStore.java:40)
>     at
> sun.security.provider.JavaKeyStore.engineGetCertificateChain(JavaKeyStore.java:135)
>     at
> java.security.KeyStore.getCertificateChain(KeyStore.java:756)
>     at
> org.apache.ws.security.components.crypto.AbstractCrypto.getCertificates
> (AbstractCrypto.java:407)
>     at
> org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:272)
>     at
> org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:643)
>     at test.Test.main (Test.java:xxx)
>
> The NullPointerException when trying to 'convertAlias' seems to imply
> there's something wrong with the keystore. The alias in the keystore and the
> crypto.properties file match, so I'm stumped.
>
>  I'm very grateful of any help/advice you can offer. If this is a
> stupid/basic question then I appologise in advance.
>
> Thanks,
>
> Ed.
>
> ====================
>
> Keystore procedure:
>
> 1) From a .pem format key, cert and CA cert, create the keystore:
>
> openssl pkcs12 -export -in cert.pem -inkey key.pem \\
>      -out store.p12 -name myAlias -CAfile cacrt.pem -caname root -chain
>
> 2) Convert the .p12 keystore to .jks format using:
>
> org.mortbay.util.PKCS12Import store.p12 store.jks
>
> 3) Add the CA cert as a trusted CA cert.
>
> keytool -import -trustcacerts -alias "CA Cert" -file cacrt.pem -keystore
> store.jks
>
>


-- 
www.ruchith.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org