You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by Stefan Thurnherr <st...@gmail.com> on 2011/09/20 17:33:42 UTC
Two ways to set key to be used for WsSecSignature
Hi
I am trying to use wss4j 1.6.2 to sign a webservices communication. Using a
keystore with my keypair, and the different
org.apache.ws.security.crypto.merlin.keystore.*
properties, I can successfully sign the message (and the receiver
successfully verifies it).
However in my setting it would be much more convenient if I could just
specify the raw key pair to be used for every request. Looking for a
possibility to do this, I came across the following API:
WSSecSignature#setSecretKey(byte[])
WSSecSignature#setX509Certificate(X509Certificate)
What is the intention with this API? Is it supposed to be an alternative to
specifying a keystore (via properties above)? Or is the recommended way to
go via specifying a keystore (even if this means writing out the key pair to
a temp file upon every request)?
Would be great if anyone could shed some light on this!
Gruäss,
stefan.
Re: Two ways to set key to be used for WsSecSignature
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Stefan,
> I came across the following API:
> WSSecSignature#setSecretKey(byte[])
> WSSecSignature#setX509Certificate(X509Certificate)
>
> What is the intention with this API?
The first method is to allow a Symmetric Key (encoded as a byte[]) to
be used to for signature. The second method uses the supplied
X509Certificate to construct the KeyInfo. For this case you still need
to have access to the private key in the keystore.
> Or is the recommended way to
> go via specifying a keystore (even if this means writing out the key pair to
> a temp file upon every request)?
You need to go through a keystore, unless you're signing using a
symmetric key. I don't understand why the key pair needs to get
written out to a temp file?
> However in my setting it would be much more convenient if I could just
> specify the raw key pair to be used for every request.
If you want to submit a patch for this I'll take a look at it.
Colm.
On Tue, Sep 20, 2011 at 4:33 PM, Stefan Thurnherr
<st...@gmail.com> wrote:
> Hi
>
> I am trying to use wss4j 1.6.2 to sign a webservices communication. Using a
> keystore with my keypair, and the different
> org.apache.ws.security.crypto.merlin.keystore.*
> properties, I can successfully sign the message (and the receiver
> successfully verifies it).
>
> However in my setting it would be much more convenient if I could just
> specify the raw key pair to be used for every request. Looking for a
> possibility to do this, I came across the following API:
> WSSecSignature#setSecretKey(byte[])
> WSSecSignature#setX509Certificate(X509Certificate)
>
> What is the intention with this API? Is it supposed to be an alternative to
> specifying a keystore (via properties above)? Or is the recommended way to
> go via specifying a keystore (even if this means writing out the key pair to
> a temp file upon every request)?
>
> Would be great if anyone could shed some light on this!
>
> Gruäss,
> stefan.
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com