You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Ostermueller, Erik" <Er...@fnis.com> on 2008/07/03 17:10:00 UTC

RE: Need help figuring out CryptoBase#getCertificates(alias)

I wrote:
>>> So, some help launching the tests would be nice.

...replying to self.  Here is doc for windoze:

Unzip these files to a blank directory:
	wss4j-otherjars-1.5.4.zip
	wss4j-bin-1.5.4.zip
	wss4j-src-1.5.4.zip 

In one window, run "ant tcpmon"
In a separate window, run "ant -DNumber=4 scenarioTest"

I apologize for the extra noise if this is already documented outside the build file for the src.

--Erik

-----Original Message-----
From: Dittmann, Werner (NSN - DE/Muenich) [mailto:werner.dittmann@nsn.com] 
Sent: Thursday, June 26, 2008 1:23 AM
To: Ostermueller, Erik; Patrick J Kobly
Cc: wss4j-dev@ws.apache.org
Subject: AW: Need help figuring out CryptoBase#getCertificates(alias)

Erik,

the WSS4J library and the associated Axis-1 and Axis-2 drivers implement
(most) of the OASIS Web Service Security specifications which in turn re-use the XML signature and XML encryption specs published by W3C. Thus to fully understand the principles behind WSS4J you should refer to the OASIS specs. These specs define so called profiles that define when and how to use cerificates (or not) and their interaction with encryption, encrypted keys, passwords and so on. 

Using Web Service Security needs careful planning of the required steps and the required security (as you pointed out in your e-mail). On top of that it is IMHO necessary to understand the basic principles of the OASIS specifications to see what is possible and what's not possible.

The WSS4J source tree contains documentation and programs the implement the interoperaibilty tests. These tests use various forms on encryption, signature, etc. Maybe these programs and docs can support your activities.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
> Gesendet: Mittwoch, 25. Juni 2008 21:12
> An: Patrick J Kobly
> Cc: wss4j-dev@ws.apache.org
> Betreff: RE: Need help figuring out CryptoBase#getCertificates(alias)
> 
> Patrick wrote:
> >> How is it that you'd expect to get a certificate for / related to a
> symmetric key?  
> >> What would you expect such a certificate to look like?  
> >> What would you expect a signature using only a symmetric key would
> look like? 
> 
> Those are good questions.  I was expecting a certificate b/c the code 
> was expecting a certificate and I didn't know any better.
> If no certs are found, this CryptoBase#getCertificates(alias) method 
> returns a null which triggers an exception downstream.
> So I learned that "if symmetric algorithm --> then certificates are 
> not relevant/used."
> 
> That leads to my back to the original problem of how do you sign 
> something when using symmetric keys.
> I just checked and the xml sig spec allows for this.  When signing 
> with symmetric key, the sig is called a message authentication 
> code/mac.
> The wss4j test referenced below looks like it configured to do all 
> this.
> 
> 
> Is there a doc somewhere that that tells how to run the tests?  I'd 
> like to verify whether this is a currently supported test and is 
> working correctly?
> Then, I'll have to figure out why this axis-based 'mac' example works 
> and my cxf-based mac example is stuck looking for non-existant 
> certificates.
> 
> So, some help launching the tests would be nice.
> 
> --Erik
> 
> 
> 
> ________________________________
> 
> From: Patrick J Kobly [mailto:patrick@kobly.com]
> Sent: Tuesday, June 24, 2008 3:31 PM
> To: Ostermueller, Erik
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: Need help figuring out CryptoBase#getCertificates(alias)
> 
> 
> How is it that you'd expect to get a certificate for / related to a 
> symmetric key?  What would you expect such a certificate to look like?
> What would you expect a signature using only a symmetric key would 
> look like?
> 
> The discussion related to the embedded key stuff relates (predictably) 
> only to encryption and not to signature (as would be expected of any 
> symmetric scheme), yet you seem to be trying to do signature stuff...
> 
> What is it you are trying to accomplish here?
> 
> PK
> 
> Ostermueller, Erik wrote: 
> 
> 	Whoops!  Previous file is bad.  Try this one:
> http://www.mediafire.com/?d3hx342xtxm
> 	 
> 	The new file name is symmetric-encryption3.zip
> 	
> ________________________________
> 
> 	From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com] 
> 	Sent: Tuesday, June 24, 2008 2:21 PM
> 	To: wss4j-dev@ws.apache.org
> 	Subject: RE: Need help figuring out
> CryptoBase#getCertificates(alias)
> 	
> 	
> 	ok,  I've re-worked my example ( download the little zip file
> here: http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j 
> symmetric encryption example referenced in this thread:
> http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20sym
> metric+pag
> e:1+mid:wqeg3cluw4cn2fr3+state:results
> <BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:w
> ss4j%20sym
> metric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
> 	 
> 	To get this example running, just configure the stuff in 
> bin/setenv.cmd and run "ant client"
> 	No need to run the server -- it fails before it gets there with the 
> message:  Unexpected number of X509Data: for Signature
> 	So the error hasn't changed, but it is tough to tell whether I've got 
> this configured correctly.
> 	 
> 	At the top of the method CryptoBase.getCertificates(alias), the 
> methods isKeyEntry(), containsAlias(), getKey() and the enum aliases 
> on CryptoBase.keystore all seem to contain the right alias/key data.
> 	 
> 	As far as I can see, the issue is that the methods mentioned above on 
> the CryptoBase.keystore instance return good-looking data but the 
> method getCertificateChain(alias) -- on the exact same instance -- 
> retuns null.
> 	 
> 	Thanks,
> 	--Erik
> 	 
> 	
> 	
> 
> 
> --
> 
> 
> Patrick Kobly, CISSP
> 
> T: 403-274-9033
> 
> C: 403-463-6141
> 
> F: 866-786-9459
> 
> 56 388 Sandarac Dr NW
> Calgary, Alberta
> T3K 4E3
> http://www.kobly.com
> <!--[if !supportLineBreakNewLine]-->
> <!--[endif]-->
> 
> ______________
> 
> The information contained in this message is proprietary and/or 
> confidential. If you are not the intended recipient, please: (i) 
> delete the message and all copies; (ii) do not disclose, distribute or 
> use the message in any manner; and (iii) notify the sender 
> immediately. In addition, please be aware that any message addressed 
> to our domain is subject to archiving and review by persons other than 
> the intended recipient. Thank you.
> _____________
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

_____________

The information contained in this message is proprietary and/or confidential. If you are not the 
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, 
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, 
please be aware that any message addressed to our domain is subject to archiving and review by 
persons other than the intended recipient. Thank you.
_____________

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org