You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Glen Mazza <gl...@gmail.com> on 2008/07/24 23:53:21 UTC
Does WSS4J need key passwords to read public keys from a
truststore?
Hello, I asked this question this morning on the CXF list--no response--but
since it seems to be at least as much WSS4J related as CXF-related, I was
wondering if anybody here could answer it:
http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tc18631505.html
Thanks,
Glen
--
View this message in context: http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18641318.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Does WSS4J need key passwords to read public keys from a
truststore?
Posted by Glen Mazza <gl...@gmail.com>.
Indeed, WSS4J/CXF works fine here--it only needed key passwords when working
with private keys (signing and decrypting.) My confusion was that our CXF
test case had a common Password Callback handler--used by both client and
service--which required it to hold both passwords.
Glen
Glen Mazza wrote:
>
> I want to make sure it is unneeded for encryption, but retained for
> signatures.
>
> I'm new at this, but encrypting, from the client's perspective, involves
> working with the public key of the server. That public key is stored in a
> trust store for the client. It should *not* require a callback password
> to obtain the server's public key. As far as I can tell, callbacks for
> key passwords should only be needed when working with private
> keys--basically, when the client is signing the SOAP message with its own
> private key.
>
> Thanks,
> Glen
>
>
> Fred Dushin-4 wrote:
>>
>> Okay, maybe I misunderstood your question, then.
>>
>> If you have to encrypt, then why are you trying to remove the callback?
>>
>> On Jul 24, 2008, at 11:10 PM, Glen Mazza wrote:
>>
>>>
>>> No, my goal is Sig/Encrypt/Timestamp. Anyway, I'll continue coding
>>> it, and
>>> let you know if it turns out that WSS4J is asking for a key (not
>>> keystore)
>>> password to obtain a public certificate in a truststore. I don't
>>> think it
>>> will though.
>>>
>>> Thanks,
>>> Glen
>>>
>>>
>>> Fred Dushin-4 wrote:
>>>>
>>>> Are you sure a callback is needed if your action is only Signature
>>>> (and Timestamp)? Y/Our client.xml [1] has Encrypt as an action.
>>>>
>>>> You should not need a callback for signature only, I'm pretty sure,
>>>> though my experience has been writing against lower-level WSS4J APIs.
>>>>
>>>> Sorry, should be reading the CXF lists more closely...
>>>>
>>>> -Fred
>>>>
>>>> [1]
>>>> http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/client.xml?revision=679390&view=markup
>>>>
>>>> On Jul 24, 2008, at 5:53 PM, Glen Mazza wrote:
>>>>
>>>>>
>>>>> Hello, I asked this question this morning on the CXF list--no
>>>>> response--but
>>>>> since it seems to be at least as much WSS4J related as CXF-related,
>>>>> I was
>>>>> wondering if anybody here could answer it:
>>>>>
>>>>> http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tc18631505.html
>>>>>
>>>>> Thanks,
>>>>> Glen
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18641318.html
>>>>> Sent from the WSS4J mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18644439.html
>>> Sent from the WSS4J mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18689211.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Does WSS4J need key passwords to read public keys from a
truststore?
Posted by Glen Mazza <gl...@gmail.com>.
I want to make sure it is unneeded for encryption, but retained for
signatures.
I'm new at this, but encrypting, from the client's perspective, involves
working with the public key of the server. That public key is stored in a
trust store for the client. It should *not* require a callback password to
obtain the server's public key. As far as I can tell, callbacks for key
passwords should only be needed when working with private keys--basically,
when the client is signing the SOAP message with its own private key.
Thanks,
Glen
Fred Dushin-4 wrote:
>
> Okay, maybe I misunderstood your question, then.
>
> If you have to encrypt, then why are you trying to remove the callback?
>
> On Jul 24, 2008, at 11:10 PM, Glen Mazza wrote:
>
>>
>> No, my goal is Sig/Encrypt/Timestamp. Anyway, I'll continue coding
>> it, and
>> let you know if it turns out that WSS4J is asking for a key (not
>> keystore)
>> password to obtain a public certificate in a truststore. I don't
>> think it
>> will though.
>>
>> Thanks,
>> Glen
>>
>>
>> Fred Dushin-4 wrote:
>>>
>>> Are you sure a callback is needed if your action is only Signature
>>> (and Timestamp)? Y/Our client.xml [1] has Encrypt as an action.
>>>
>>> You should not need a callback for signature only, I'm pretty sure,
>>> though my experience has been writing against lower-level WSS4J APIs.
>>>
>>> Sorry, should be reading the CXF lists more closely...
>>>
>>> -Fred
>>>
>>> [1]
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/client.xml?revision=679390&view=markup
>>>
>>> On Jul 24, 2008, at 5:53 PM, Glen Mazza wrote:
>>>
>>>>
>>>> Hello, I asked this question this morning on the CXF list--no
>>>> response--but
>>>> since it seems to be at least as much WSS4J related as CXF-related,
>>>> I was
>>>> wondering if anybody here could answer it:
>>>>
>>>> http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tc18631505.html
>>>>
>>>> Thanks,
>>>> Glen
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18641318.html
>>>> Sent from the WSS4J mailing list archive at Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18644439.html
>> Sent from the WSS4J mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18661912.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Does WSS4J need key passwords to read public keys from a
truststore?
Posted by Fred Dushin <fa...@apache.org>.
Okay, maybe I misunderstood your question, then.
If you have to encrypt, then why are you trying to remove the callback?
On Jul 24, 2008, at 11:10 PM, Glen Mazza wrote:
>
> No, my goal is Sig/Encrypt/Timestamp. Anyway, I'll continue coding
> it, and
> let you know if it turns out that WSS4J is asking for a key (not
> keystore)
> password to obtain a public certificate in a truststore. I don't
> think it
> will though.
>
> Thanks,
> Glen
>
>
> Fred Dushin-4 wrote:
>>
>> Are you sure a callback is needed if your action is only Signature
>> (and Timestamp)? Y/Our client.xml [1] has Encrypt as an action.
>>
>> You should not need a callback for signature only, I'm pretty sure,
>> though my experience has been writing against lower-level WSS4J APIs.
>>
>> Sorry, should be reading the CXF lists more closely...
>>
>> -Fred
>>
>> [1]
>> http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/client.xml?revision=679390&view=markup
>>
>> On Jul 24, 2008, at 5:53 PM, Glen Mazza wrote:
>>
>>>
>>> Hello, I asked this question this morning on the CXF list--no
>>> response--but
>>> since it seems to be at least as much WSS4J related as CXF-related,
>>> I was
>>> wondering if anybody here could answer it:
>>>
>>> http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tc18631505.html
>>>
>>> Thanks,
>>> Glen
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18641318.html
>>> Sent from the WSS4J mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18644439.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
AW: Does WSS4J need key passwords to read public keys from a truststore?
Posted by "Dittmann, Werner (NSN - DE/Muenich)" <we...@nsn.com>.
Reading a certificate (public key) from a keystore does not
require a password - no callback (if my memory serves me right :-) )
Usualy you need a password for the private key only:
- during creation of the Signature (signing is with private key)
- decryption requires the private key of the receiver to decrypt
the session key (sender encrypts this with public key of receiver)
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: ext Glen Mazza [mailto:glen.mazza@gmail.com]
> Gesendet: Freitag, 25. Juli 2008 05:10
> An: wss4j-dev@ws.apache.org
> Betreff: Re: Does WSS4J need key passwords to read public
> keys from a truststore?
>
>
> No, my goal is Sig/Encrypt/Timestamp. Anyway, I'll continue
> coding it, and
> let you know if it turns out that WSS4J is asking for a key
> (not keystore)
> password to obtain a public certificate in a truststore. I
> don't think it
> will though.
>
> Thanks,
> Glen
>
>
> Fred Dushin-4 wrote:
> >
> > Are you sure a callback is needed if your action is only Signature
> > (and Timestamp)? Y/Our client.xml [1] has Encrypt as an action.
> >
> > You should not need a callback for signature only, I'm
> pretty sure,
> > though my experience has been writing against lower-level
> WSS4J APIs.
> >
> > Sorry, should be reading the CXF lists more closely...
> >
> > -Fred
> >
> > [1]
> >
> http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/
> org/apache/cxf/systest/ws/security/client.xml?revision=679390&
view=markup
> >
> > On Jul 24, 2008, at 5:53 PM, Glen Mazza wrote:
> >
> >>
> >> Hello, I asked this question this morning on the CXF list--no
> >> response--but
> >> since it seems to be at least as much WSS4J related as
> CXF-related,
> >> I was
> >> wondering if anybody here could answer it:
> >>
> >>
> http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-S
ecurity-sample-tc18631505.html
> >>
> >> Thanks,
> >> Glen
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-pu
blic-keys-from-a-truststore--tp18641318p18641318.html
> >> Sent from the WSS4J mailing list archive at Nabble.com.
> >>
> >>
> >>
> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >>
> >>
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-pu
blic-keys-from-a-truststore--tp18641318p18644439.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Does WSS4J need key passwords to read public keys from a
truststore?
Posted by Glen Mazza <gl...@gmail.com>.
No, my goal is Sig/Encrypt/Timestamp. Anyway, I'll continue coding it, and
let you know if it turns out that WSS4J is asking for a key (not keystore)
password to obtain a public certificate in a truststore. I don't think it
will though.
Thanks,
Glen
Fred Dushin-4 wrote:
>
> Are you sure a callback is needed if your action is only Signature
> (and Timestamp)? Y/Our client.xml [1] has Encrypt as an action.
>
> You should not need a callback for signature only, I'm pretty sure,
> though my experience has been writing against lower-level WSS4J APIs.
>
> Sorry, should be reading the CXF lists more closely...
>
> -Fred
>
> [1]
> http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/client.xml?revision=679390&view=markup
>
> On Jul 24, 2008, at 5:53 PM, Glen Mazza wrote:
>
>>
>> Hello, I asked this question this morning on the CXF list--no
>> response--but
>> since it seems to be at least as much WSS4J related as CXF-related,
>> I was
>> wondering if anybody here could answer it:
>>
>> http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tc18631505.html
>>
>> Thanks,
>> Glen
>> --
>> View this message in context:
>> http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18641318.html
>> Sent from the WSS4J mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18644439.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Does WSS4J need key passwords to read public keys from a
truststore?
Posted by Fred Dushin <fa...@apache.org>.
Are you sure a callback is needed if your action is only Signature
(and Timestamp)? Y/Our client.xml [1] has Encrypt as an action.
You should not need a callback for signature only, I'm pretty sure,
though my experience has been writing against lower-level WSS4J APIs.
Sorry, should be reading the CXF lists more closely...
-Fred
[1] http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/client.xml?revision=679390&view=markup
On Jul 24, 2008, at 5:53 PM, Glen Mazza wrote:
>
> Hello, I asked this question this morning on the CXF list--no
> response--but
> since it seems to be at least as much WSS4J related as CXF-related,
> I was
> wondering if anybody here could answer it:
>
> http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tc18631505.html
>
> Thanks,
> Glen
> --
> View this message in context: http://www.nabble.com/Does-WSS4J-need-key-passwords-to-read-public-keys-from-a-truststore--tp18641318p18641318.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org