Signatures - asymetric or symetric?

[Ron Reynolds <Ro...@RonReynolds.com>]

maybe this is just my lack of crypto knowledge showing, but i'm still not clear on how the server verifies the
signature the client put on its message.  as i (sorta) understand things (from
http://www.devx.com/Java/Article/28816/0/ ), you
1. generate 2 keys (any particular -keyalg, -keysize, -sigalg, -storetype or will any valid ones work?)
  keytool -genkey -alias AL-private -keystore al-pvt.key
  keytool -genkey -alias AL-public  -keystore al-pub.key

2. self-sign the keys
  keytool -selfcert -alias AL-private -keystore al-pvt.key
  keytool -selfcert -alias AL-public -keystore al-pub.key

3. generate a certificate
  keytool -export -keystore al-pub.key -alias AL-public -file AL.cert

4. import the certificate into the private keystore
  keytool -import -alias AL-public -file AL.cert -keystore AL-pvt.key

5. create a crypto.properties file (note, alias and password now not used according this archived email -
http://66.102.7.104/search?q=cache:UcxnQ8nN4_AJ:archives.devshed.com/a/ml/200409-844703/AW-AW-Problem-with-Signatures-Unexpected-number-of-X509Data-f+Unexpected+number+of+X509Data:+for+Signature&hl=en
)
  org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
  org.apache.ws.security.crypto.merlin.keystore.type=<whatever you used in step 1>
  org.apache.ws.security.crypto.merlin.keystore.password=<whatever you used in step 1>
  org.apache.ws.security.crypto.merlin.file=???

now, the file is unclear - is that the cert, the public key file, or the private key file?  if it's the public key
then, given what i think is meant by "public" and "private" key, anybody could sign this message.  so my guess is it's
the private key file or the cert file (tho the client doesn't need its public key so that also makes little sense), so
we'll assume
  org.apache.ws.security.crypto.merlin.file=AL-pvt.key

6. create a client-config.wsdd file that contains at least:

<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
  <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration>
    <requestFlow>
      <!-- add the header that adds the signature -->
      <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
        <parameter name="action"                value="Signature"/>
        <parameter name="user"                  value="AL-private"/>
        <parameter name="passwordCallbackClass" value="com.example.GimmeALsPassword"/>
        <parameter name="signaturePropFile"     value="crypto.properties" />
      </handler>
    </requestFlow>
  </globalConfiguration>
</deployment>

7. write a class, com.example.GimmeALsPassword:

public class UserIdPWCallback implements javax.security.auth.callback.CallbackHandler {
    public void handle(javax.security.auth.callback.Callback[] callbacks)
    throws java.io.IOException, javax.security.auth.callback.UnsupportedCallbackException {
        for (int x = 0; x < callbacks.length; ++x) {
            try {
                org.apache.ws.security.WSPasswordCallback callback;
                callback = (org.apache.ws.security.WSPasswordCallback)callbacks[x];
                String id = callback.getIdentifer();
                if ("AL-private".equals(id)) {
                    callback.setPassword("whatever you used in step 1");
                }
            } catch (ClassCastException ccx) {
                throw new UnsupportedCallbackException(callbacks[x], "Unrecognized Callback");
            }
        }
    }
}

8. package up the callback, the client-config.wsdd, the private key file, your client classes (if any), and ship those
to the client.

9. and then...  what goes on the server?  the public key, the cert, or the private key?  the private key makes no
sense - only the client is supposed to have the private key.  the cert is supposed to join the public and private
keys, yes?  but then how do you write your server-config.wsdd to use it?  is the user name AL-private?  so
confusing... :-/

help.  please.  once i get this all figured out i'll write a wiki page and put it somewhere around
http://wiki.apache.org/ws/RonReynolds (tho first i have to figure out how to create a wiki page other than my own...)

so, when's "WSS4J For Smarties And Dummies" coming out? :)

................ron.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Signatures - asymetric or symetric?

[Ron Reynolds <Ro...@RonReynolds.com>]

> maybe this is just my lack of crypto knowledge showing...
well, after reading a bit on keytool, i can tell my lack of crypto knowledge was really showing in that last email. 
sorry for the waste of bandwidth... :-/
every time i come back to crypto it's like i have to re-learn so much.  i'm certain i knew at one point that keystore
files contain both public and private keys - i don't know why that escaped me today...
again, sorry for ranting.
...............ron.



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Signatures - asymetric or symetric?

[Ron Reynolds <Ro...@RonReynolds.com>]

> maybe this is just my lack of crypto knowledge showing...
well, after reading a bit on keytool, i can tell my lack of crypto knowledge was really showing in that last email. 
sorry for the waste of bandwidth... :-/
every time i come back to crypto it's like i have to re-learn so much.  i'm certain i knew at one point that keystore
files contain both public and private keys - i don't know why that escaped me today...
again, sorry for ranting.
...............ron.



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Signatures - asymetric or symetric?

[Ron Reynolds <Ro...@RonReynolds.com>]

> you do not need the private to verify the signature.
that part certainly makes sense, otherwise it would be symetric crypto, right?  but the client passes the certificate
along with their message?  ah, and that cert is signed by someone trusted by the server and thus the server trusts the
client.  and in my case i need to create a cert for the server so it can sign all the client's certificates and thus
only a client with a certificate signed with the server's cert is accepted by the server... :-?

so every signed SOAP message comes in with the X509 encoded in the header?  that seems a little inefficient if the
client makes a lot of requests...  any way to prepopulate the server with client certs and then only allow those
clients in?  ah, that's the "some other reference, then you need keystore on the server side" part i would guess.  any
way on the server side to tell the server not to accept new X509 certificates but only these references?

this is reaching the cost point with my simple in-house server that i might just go back to my custom
MD5-xor-secretkey idea just to hit my deadline...


> Ron
> I guess for the the client side you use AL-pvt.key as merlin.file ( I
> suggest you use better suffixes, like .jks if you are using JKS, for the
> stores).
>
> On the server side, you may or may not need a keystore - depending on how
> you pass the key in the request. If the default behavior of WSDoAllSender is
> to put a binary security token, then you do not require a keystore - the
> base64 encoded cert will be embedded in the request and the server can use
> that to verify signature.
> If the binary security token is not included in the request, but some other
> reference, then you need keystore on the server side. In that case, you are
> better of creating another store and import the AL.cert into it.
>
> For basics - you do not need the private to verify the signature.
>
> thanks,
> Samrat
>
>
> On 10/20/05, Ron Reynolds <Ro...@ronreynolds.com> wrote:
>>
>> maybe this is just my lack of crypto knowledge showing, but i'm still not
>> clear on how the server verifies the
>> signature the client put on its message. as i (sorta) understand things
>> (from
>> http://www.devx.com/Java/Article/28816/0/ ), you
>> 1. generate 2 keys (any particular -keyalg, -keysize, -sigalg, -storetype
>> or will any valid ones work?)
>> keytool -genkey -alias AL-private -keystore al-pvt.key
>> keytool -genkey -alias AL-public -keystore al-pub.key
>>
>> 2. self-sign the keys
>> keytool -selfcert -alias AL-private -keystore al-pvt.key
>> keytool -selfcert -alias AL-public -keystore al-pub.key
>>
>> 3. generate a certificate
>> keytool -export -keystore al-pub.key -alias AL-public -file AL.cert
>>
>> 4. import the certificate into the private keystore
>> keytool -import -alias AL-public -file AL.cert -keystore AL-pvt.key
>>
>> 5. create a crypto.properties file (note, alias and password now not used
>> according this archived email -
>>
>> http://66.102.7.104/search?q=cache:UcxnQ8nN4_AJ:archives.devshed.com/a/ml/200409-844703/AW-AW-Problem-with-Signatures-Unexpected-number-of-X509Data-f+Unexpected+number+of+X509Data:+for+Signature&hl=en
>> )
>>
>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> org.apache.ws.security.crypto.merlin.keystore.type=<whatever you used in
>> step 1>
>> org.apache.ws.security.crypto.merlin.keystore.password=<whatever you used
>> in step 1>
>> org.apache.ws.security.crypto.merlin.file=???
>>
>> now, the file is unclear - is that the cert, the public key file, or the
>> private key file? if it's the public key
>> then, given what i think is meant by "public" and "private" key, anybody
>> could sign this message. so my guess is it's
>> the private key file or the cert file (tho the client doesn't need its
>> public key so that also makes little sense), so
>> we'll assume
>> org.apache.ws.security.crypto.merlin.file=AL-pvt.key
>>
>> 6. create a client-config.wsdd file that contains at least:
>>
>> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="
>> http://xml.apache.org/axis/wsdd/providers/java">
>> <transport name="http" pivot="java:
>> org.apache.axis.transport.http.HTTPSender"/>
>> <globalConfiguration>
>> <requestFlow>
>> <!-- add the header that adds the signature -->
>> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
>> <parameter name="action" value="Signature"/>
>> <parameter name="user" value="AL-private"/>
>> <parameter name="passwordCallbackClass" value="
>> com.example.GimmeALsPassword"/>
>> <parameter name="signaturePropFile" value="crypto.properties" />
>> </handler>
>> </requestFlow>
>> </globalConfiguration>
>> </deployment>
>>
>> 7. write a class, com.example.GimmeALsPassword:
>>
>> public class UserIdPWCallback implements
>> javax.security.auth.callback.CallbackHandler {
>> public void handle(javax.security.auth.callback.Callback[] callbacks)
>> throws java.io.IOException,
>> javax.security.auth.callback.UnsupportedCallbackException {
>> for (int x = 0; x < callbacks.length; ++x) {
>> try {
>> org.apache.ws.security.WSPasswordCallback callback;
>> callback = (org.apache.ws.security.WSPasswordCallback)callbacks[x];
>> String id = callback.getIdentifer();
>> if ("AL-private".equals(id)) {
>> callback.setPassword("whatever you used in step 1");
>> }
>> } catch (ClassCastException ccx) {
>> throw new UnsupportedCallbackException(callbacks[x], "Unrecognized
>> Callback");
>> }
>> }
>> }
>> }
>>
>> 8. package up the callback, the client-config.wsdd, the private key file,
>> your client classes (if any), and ship those
>> to the client.
>>
>> 9. and then... what goes on the server? the public key, the cert, or the
>> private key? the private key makes no
>> sense - only the client is supposed to have the private key. the cert is
>> supposed to join the public and private
>> keys, yes? but then how do you write your server-config.wsdd to use it? is
>> the user name AL-private? so
>> confusing... :-/
>>
>> help. please. once i get this all figured out i'll write a wiki page and
>> put it somewhere around
>> http://wiki.apache.org/ws/RonReynolds (tho first i have to figure out how
>> to create a wiki page other than my own...)
>>
>> so, when's "WSS4J For Smarties And Dummies" coming out? :)
>>
>> ................ron.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Signatures - asymetric or symetric?

[Ron Reynolds <Ro...@RonReynolds.com>]

> you do not need the private to verify the signature.
that part certainly makes sense, otherwise it would be symetric crypto, right?  but the client passes the certificate
along with their message?  ah, and that cert is signed by someone trusted by the server and thus the server trusts the
client.  and in my case i need to create a cert for the server so it can sign all the client's certificates and thus
only a client with a certificate signed with the server's cert is accepted by the server... :-?

so every signed SOAP message comes in with the X509 encoded in the header?  that seems a little inefficient if the
client makes a lot of requests...  any way to prepopulate the server with client certs and then only allow those
clients in?  ah, that's the "some other reference, then you need keystore on the server side" part i would guess.  any
way on the server side to tell the server not to accept new X509 certificates but only these references?

this is reaching the cost point with my simple in-house server that i might just go back to my custom
MD5-xor-secretkey idea just to hit my deadline...


> Ron
> I guess for the the client side you use AL-pvt.key as merlin.file ( I
> suggest you use better suffixes, like .jks if you are using JKS, for the
> stores).
>
> On the server side, you may or may not need a keystore - depending on how
> you pass the key in the request. If the default behavior of WSDoAllSender is
> to put a binary security token, then you do not require a keystore - the
> base64 encoded cert will be embedded in the request and the server can use
> that to verify signature.
> If the binary security token is not included in the request, but some other
> reference, then you need keystore on the server side. In that case, you are
> better of creating another store and import the AL.cert into it.
>
> For basics - you do not need the private to verify the signature.
>
> thanks,
> Samrat
>
>
> On 10/20/05, Ron Reynolds <Ro...@ronreynolds.com> wrote:
>>
>> maybe this is just my lack of crypto knowledge showing, but i'm still not
>> clear on how the server verifies the
>> signature the client put on its message. as i (sorta) understand things
>> (from
>> http://www.devx.com/Java/Article/28816/0/ ), you
>> 1. generate 2 keys (any particular -keyalg, -keysize, -sigalg, -storetype
>> or will any valid ones work?)
>> keytool -genkey -alias AL-private -keystore al-pvt.key
>> keytool -genkey -alias AL-public -keystore al-pub.key
>>
>> 2. self-sign the keys
>> keytool -selfcert -alias AL-private -keystore al-pvt.key
>> keytool -selfcert -alias AL-public -keystore al-pub.key
>>
>> 3. generate a certificate
>> keytool -export -keystore al-pub.key -alias AL-public -file AL.cert
>>
>> 4. import the certificate into the private keystore
>> keytool -import -alias AL-public -file AL.cert -keystore AL-pvt.key
>>
>> 5. create a crypto.properties file (note, alias and password now not used
>> according this archived email -
>>
>> http://66.102.7.104/search?q=cache:UcxnQ8nN4_AJ:archives.devshed.com/a/ml/200409-844703/AW-AW-Problem-with-Signatures-Unexpected-number-of-X509Data-f+Unexpected+number+of+X509Data:+for+Signature&hl=en
>> )
>>
>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> org.apache.ws.security.crypto.merlin.keystore.type=<whatever you used in
>> step 1>
>> org.apache.ws.security.crypto.merlin.keystore.password=<whatever you used
>> in step 1>
>> org.apache.ws.security.crypto.merlin.file=???
>>
>> now, the file is unclear - is that the cert, the public key file, or the
>> private key file? if it's the public key
>> then, given what i think is meant by "public" and "private" key, anybody
>> could sign this message. so my guess is it's
>> the private key file or the cert file (tho the client doesn't need its
>> public key so that also makes little sense), so
>> we'll assume
>> org.apache.ws.security.crypto.merlin.file=AL-pvt.key
>>
>> 6. create a client-config.wsdd file that contains at least:
>>
>> <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="
>> http://xml.apache.org/axis/wsdd/providers/java">
>> <transport name="http" pivot="java:
>> org.apache.axis.transport.http.HTTPSender"/>
>> <globalConfiguration>
>> <requestFlow>
>> <!-- add the header that adds the signature -->
>> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
>> <parameter name="action" value="Signature"/>
>> <parameter name="user" value="AL-private"/>
>> <parameter name="passwordCallbackClass" value="
>> com.example.GimmeALsPassword"/>
>> <parameter name="signaturePropFile" value="crypto.properties" />
>> </handler>
>> </requestFlow>
>> </globalConfiguration>
>> </deployment>
>>
>> 7. write a class, com.example.GimmeALsPassword:
>>
>> public class UserIdPWCallback implements
>> javax.security.auth.callback.CallbackHandler {
>> public void handle(javax.security.auth.callback.Callback[] callbacks)
>> throws java.io.IOException,
>> javax.security.auth.callback.UnsupportedCallbackException {
>> for (int x = 0; x < callbacks.length; ++x) {
>> try {
>> org.apache.ws.security.WSPasswordCallback callback;
>> callback = (org.apache.ws.security.WSPasswordCallback)callbacks[x];
>> String id = callback.getIdentifer();
>> if ("AL-private".equals(id)) {
>> callback.setPassword("whatever you used in step 1");
>> }
>> } catch (ClassCastException ccx) {
>> throw new UnsupportedCallbackException(callbacks[x], "Unrecognized
>> Callback");
>> }
>> }
>> }
>> }
>>
>> 8. package up the callback, the client-config.wsdd, the private key file,
>> your client classes (if any), and ship those
>> to the client.
>>
>> 9. and then... what goes on the server? the public key, the cert, or the
>> private key? the private key makes no
>> sense - only the client is supposed to have the private key. the cert is
>> supposed to join the public and private
>> keys, yes? but then how do you write your server-config.wsdd to use it? is
>> the user name AL-private? so
>> confusing... :-/
>>
>> help. please. once i get this all figured out i'll write a wiki page and
>> put it somewhere around
>> http://wiki.apache.org/ws/RonReynolds (tho first i have to figure out how
>> to create a wiki page other than my own...)
>>
>> so, when's "WSS4J For Smarties And Dummies" coming out? :)
>>
>> ................ron.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org