You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Milinda Lakmal <mi...@yahoo.com> on 2006/07/19 06:54:11 UTC
WSS4J LDAP Integration
Hi,
I implemented some of the methods in crypto interface.
But I have problems with these methods. Can you please reply me if you have any suggestions to these problems.
public PrivateKey getPrivateKey(String alias, String password) throws Exception;
public String getDefaultX509Alias();
What is the default alias when considering the LDAP Certifictae Stroe?
public KeyStore getKeyStore();
This method realy confused me when regarding the LDAP cert store. When we use ldap cert store this interface cant use.
Here is my current implementations:
package org.apache.ws.security.components;
/**
* Created by IntelliJ IDEA.
* User: milinda
* Date: Jul 18, 2006
* Time: 7:35:47 PM
* To change this template use File | Settings | File Templates.
*/
import org.apache.ws.security.WSSecurityException;
import javax.naming.directory.*;
import javax.naming.NamingException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import java.security.cert.*;
import java.security.NoSuchAlgorithmException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.*;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
public class LDAPCrypto {
protected static CertificateFactory certFact;
protected static DirContext ldapCtx;
protected static String searchContext;
protected Properties properties;
protected ArrayList caCertList;
static String SKI_OID = "2.5.29.14";
/**
* Constructor
*
* @param properties
* @throws javax.naming.NamingException
*/
public LDAPCrypto(Properties properties) throws NamingException {
/*
* if no properties .. just return an instance, the rest will be
* done later or this instance is just used to handle certificate
* conversions in this implementatio
*/
if (properties == null) {
return;
}
this.properties = properties;
searchContext = this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
Hashtable ldapEnv = new Hashtable(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
ldapEnv.put(Context.PROVIDER_URL,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
/**
* Look for the authentication type & create DirContext according to the properties
*/
if (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
{
ldapEnv.put(Context.SECURITY_AUTHENTICATION,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
ldapCtx = new InitialDirContext(ldapEnv);
}
if (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
{
ldapEnv.put(Context.SECURITY_AUTHENTICATION,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
ldapEnv.put(Context.SECURITY_PRINCIPAL, this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
ldapEnv.put(Context.SECURITY_CREDENTIALS,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
ldapCtx = new InitialDirContext(ldapEnv);
System.out.println(ldapCtx);
}
caCertList = new ArrayList();
}
/**
* Singleton certificate factory for this Crypto instance.
* <p/>
*
* @return Returns a <code>CertificateFactory</code> to construct
* X509 certficates
* @throws org.apache.ws.security.WSSecurityException
*
*/
public synchronized CertificateFactory getCertificateFactory() throws WSSecurityException {
if (certFact == null) {
try {
certFact = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
"unsupportedCertType");
}
return certFact;
}
return certFact;
}
public String getEmailFromDN(String DN) {
StringTokenizer stOne = new StringTokenizer(DN, ",");
StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(), "=");
stTwo.nextToken();
return stTwo.nextToken();
}
public ArrayList getCAS(String caAlias) {
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "(objectclass=pkiCA)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs = searchReult.getAttributes();
javax.naming.directory.Attribute attr = attrs.get("cACertificate;binary");
if (attr == null) {
return null;
} else {
Object binary = attr.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate) certFact.generateCertificate(binaryIS);
if (caAlias.equals(cert.getSubjectDN().toString())) {
caCertList.add(cert);
if (cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
return caCertList;
} else {
caCertList = getCAS(cert.getIssuerDN().toString());
}
}
}
}
}
} catch (Exception e) {
}
return caCertList;
}
public X509Certificate[] getCertificates(String alias) throws WSSecurityException {
ArrayList certList = new ArrayList();
ArrayList caCList = new ArrayList();
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "cn=" + alias, constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs = searchReult.getAttributes();
javax.naming.directory.Attribute attr = attrs.get("userCertificate;binary");
if (attr != null) {
Object binary = attr.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate) certFact.generateCertificate(binaryIS);
certList.add(cert);
caCList = getCAS(cert.getIssuerDN().toString());
}
}
}
} catch (Exception e) {
}
for (int j = 0; j < caCList.size(); j++) {
certList.add(caCList.get(j));
}
if (certList.size() == 0 || certList == null) {
return null;
}
X509Certificate[] x509certs = new X509Certificate[certList.size()];
for (int i = 0; i < certList.size(); i++) {
x509certs[i] = (X509Certificate) certList.get(i);
}
return x509certs;
}
/**
* Return a X509 Certificate alias in the keystore according to a given Certificate
* <p/>
*
* @param cert The certificate to lookup
* @return alias name of the certificate that matches the given certificate
* or null if no such certificate was found.
* <p/>
* See comment above
* <p/>
* See comment above
*/
public String getAliasForX509Cert(Certificate cert) throws WSSecurityException {
boolean certFound = false;
String alias = null;
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs = searchReult.getAttributes();
javax.naming.directory.Attribute attrCert = attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN = attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cer;
cer = (X509Certificate) certFact.generateCertificate(binaryIS);
if (cer.equals(cert)) {
certFound = true;
alias = cn;
}
}
}
}
} catch (Exception e) {
}
String aliasReturn = null;
if (certFound) {
aliasReturn = alias;
}
return aliasReturn;
}
/**
* Lookup a X509 Certificate in the keystore according to a given
* SubjectKeyIdentifier.
* <p/>
* The search gets all alias names of the keystore and gets the certificate chain
* or certificate for each alias. Then the SKI for each user certificate
* is compared with the SKI parameter.
*
* @param skiBytes The SKI info bytes
* @return alias name of the certificate that matches serialNumber and issuer name
* or null if no such certificate was found.
* @throws org.apache.ws.security.WSSecurityException
* if problems during keystore handling or wrong certificate (no SKI data)
*/
public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException {
String alias = null;
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs = searchReult.getAttributes();
javax.naming.directory.Attribute attrCert = attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN = attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate) certFact.generateCertificate(binaryIS);
byte[] data = getSKIBytesFromCert(cert);
if (data.length != skiBytes.length) {
continue;
}
if (Arrays.equals(data, skiBytes)) {
alias = cn;
return alias;
}
}
}
}
} catch (Exception e) {
}
return null;
}
/**
* Lookup a X509 Certificate in the keystore according to a given
* Thumbprint.
* <p/>
* The search gets all alias names of the keystore, then reads the certificate chain
* or certificate for each alias. Then the thumbprint for each user certificate
* is compared with the thumbprint parameter.
*
* @param thumb The SHA1 thumbprint info bytes
* @return alias name of the certificate that matches the thumbprint
* or null if no such certificate was found.
* @throws org.apache.ws.security.WSSecurityException
* if problems during keystore handling or wrong certificate
*/
public String getAliasForX509CertThumb(byte[] thumb) throws WSSecurityException {
String alias = null;
MessageDigest sha = null;
try {
sha = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException e1) {
throw new WSSecurityException(0, "noSHA1availabe");
}
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs = searchReult.getAttributes();
javax.naming.directory.Attribute attrCert = attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN = attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate) certFact.generateCertificate(binaryIS);
sha.reset();
try {
sha.update(cert.getEncoded());
} catch (CertificateEncodingException e1) {
throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError");
}
byte[] data = sha.digest();
if (Arrays.equals(data, thumb)) {
alias = cn;
return alias;
}
}
}
}
} catch (Exception e) {
}
return null;
}
/**
* Lookup X509 Certificates in the keystore according to a given DN of the subject of the certificate
* <p/>
* The search gets all alias names of the keystore and gets the certificate (chain)
* for each alias. Then the DN of the certificate is compared with the parameters.
*
* @param subjectDN The DN of subject to look for in the keystore
* @return Vector with all alias of certificates with the same DN as given in the parameters
* @throws org.apache.ws.security.WSSecurityException
*
*/
public String[] getAliasesForDN(String subjectDN) throws WSSecurityException {
ArrayList aliases = new ArrayList();
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
Vector subjectRDN = splitAndTrim(subjectDN);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs = searchReult.getAttributes();
javax.naming.directory.Attribute attrCert = attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN = attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate) certFact.generateCertificate(binaryIS);
Vector foundRDN = splitAndTrim(cert.getSubjectDN().getName());
if (subjectRDN.equals(foundRDN)) {
aliases.add(cn);
}
}
}
}
} catch (Exception e) {
}
if (aliases.size() != 0) {
String[] result = new String[aliases.size()];
for (int i = 0; i < aliases.size(); i++) {
result[i] = (String) aliases.get(i);
}
return result;
}
return null;
}
public static void main(String[] args) {
Properties props = new Properties();
String s;
Certificate cet[];
try {
File prop = new File("LDAPCrypto.properties");
FileInputStream in = new FileInputStream(prop);
props.load(in);
in.close();
} catch (Exception e) {
}
try {
LDAPCrypto lCrypto1 = new LDAPCrypto(props);
try {
X509Certificate[] cert = lCrypto1.getCertificates("Lakmal");
String[] d = lCrypto1.getAliasesForDN("EMAILADDRESS=lakmal@gmail.com, CN=lakmal, OU=kd, O=LK, L=LAKM, ST=Eastern, C=SL");
System.out.println(d[1]);
for (int i = 0; i < cert.length; i++) {
System.out.println("Subject DN: " + cert[i].getSubjectDN());
System.out.println("Alias For cert: " + lCrypto1.getAliasForX509Cert(cert[i]));
System.out.println("Alias For ski: " + lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
}
} catch (Exception f) {
f.printStackTrace();
}
} catch (NamingException n) {
n.printStackTrace();
}
}
private Vector splitAndTrim(String inString) {
X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
Vector vr = new Vector();
while (nmTokens.hasMoreTokens()) {
vr.add(nmTokens.nextToken());
}
java.util.Collections.sort(vr);
return vr;
}
/**
* Reads the SubjectKeyIdentifier information from the certificate.
* <p/>
* If the the certificate does not contain a SKI extension then
* try to compute the SKI according to RFC3280 using the
* SHA-1 hash value of the public key. The second method described
* in RFC3280 is not support. Also only RSA public keys are supported.
* If we cannot compute the SKI throw a WSSecurityException.
*
* @param cert The certificate to read SKI
* @return The byte array conating the binary SKI data
*/
public byte[] getSKIBytesFromCert(X509Certificate cert)
throws WSSecurityException {
/*
* Gets the DER-encoded OCTET string for the extension value (extnValue)
* identified by the passed-in oid String. The oid string is represented
* by a set of positive whole numbers separated by periods.
*/
byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
if (cert.getVersion() < 3 || derEncodedValue == null) {
PublicKey key = cert.getPublicKey();
if (!(key instanceof RSAPublicKey)) {
throw new WSSecurityException(1, "noSKIHandling", new Object[]{"Support for RSA key only"});
}
byte[] encoded = key.getEncoded();
// remove 22-byte algorithm ID and header
byte[] value = new byte[encoded.length - 22];
System.arraycopy(encoded, 22, value, 0, value.length);
MessageDigest sha;
try {
sha = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException ex) {
throw new WSSecurityException(1, "noSKIHandling", new Object[]{"Wrong certificate version (<3) and no SHA1 message digest availabe"});
}
sha.reset();
sha.update(value);
return sha.digest();
}
/**
* Strip away first four bytes from the DerValue (tag and length of
* ExtensionValue OCTET STRING and KeyIdentifier OCTET STRING)
*/
byte abyte0[] = new byte[derEncodedValue.length - 4];
System.arraycopy(derEncodedValue, 4, abyte0, 0, abyte0.length);
return abyte0;
}
}
Re: WSS4J LDAP Integration
Posted by Ruchith Fernando <ru...@gmail.com>.
Milinda,
Please send a patch (attach it to JIRA) with these changes.
Thanks,
Ruchith
On 7/19/06, Ruchith Fernando <ru...@gmail.com> wrote:
> Hi Milinda,
>
> I couldn't find any usages of the getKeystore() method in WSS4J.
> Therefore IMHO, you can safely throw an UnsupportedOperationException
> there.
>
> getDefaultX509Alias() is used to find the certificate to verify the
> signature when we cannot find the signature certificate from the
> incoming request. Therefore you can use the same approach that Merlin
> used to get this value, where you can load it from the .properties
> file.
>
> I'm not sure about the solution for getPrvateKey() but can we get the
> rest of it completed so we can try to use this with WSS4J to simply
> verify incoming signed messages.
>
> Thanks,
> Ruchith
>
> On 7/19/06, Milinda Lakmal <mi...@yahoo.com> wrote:
> >
> >
> > Hi,
> > I implemented some of the methods in crypto interface.
> > But I have problems with these methods. Can you please reply me if you have
> > any suggestions to these problems.
> >
> > public PrivateKey getPrivateKey(String alias, String password) throws
> > Exception;
> >
> > public String getDefaultX509Alias();
> > What is the default alias when considering the LDAP Certifictae Stroe?
> >
> > public KeyStore getKeyStore();
> > This method realy confused me when regarding the LDAP cert store. When we
> > use ldap cert store this interface cant use.
> >
> > Here is my current implementations:
> > package org.apache.ws.security.components;
> >
> > /**
> > * Created by IntelliJ IDEA.
> > * User: milinda
> > * Date: Jul 18, 2006
> > * Time: 7:35:47 PM
> > * To change this template use File | Settings | File Templates.
> > */
> >
> > import org.apache.ws.security.WSSecurityException;
> >
> > import javax.naming.directory.*;
> > import javax.naming.NamingException;
> > import javax.naming.Context;
> > import javax.naming.NamingEnumeration;
> > import java.security.cert.*;
> > import java.security.NoSuchAlgorithmException;
> > import java.security.MessageDigest;
> > import java.security.PublicKey;
> > import java.security.interfaces.RSAPublicKey;
> > import java.util.*;
> > import java.io.ByteArrayInputStream;
> > import java.io.File;
> > import java.io.FileInputStream;
> >
> > public class LDAPCrypto {
> > protected static CertificateFactory certFact;
> > protected static DirContext ldapCtx;
> > protected static String searchContext;
> > protected Properties properties;
> > protected ArrayList caCertList;
> > static String SKI_OID = "2.5.29.14";
> >
> > /**
> > * Constructor
> > *
> > * @param properties
> > * @throws javax.naming.NamingException
> > */
> >
> > public LDAPCrypto(Properties properties) throws NamingException {
> > /*
> > * if no properties .. just return an instance, the rest will be
> > * done later or this instance is just used to handle certificate
> > * conversions in this implementatio
> > */
> > if (properties == null) {
> > return;
> > }
> > this.properties = properties;
> >
> > searchContext =
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
> > Hashtable ldapEnv = new Hashtable(11);
> > ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
> > ldapEnv.put(Context.PROVIDER_URL,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
> >
> > /**
> > * Look for the authentication type & create DirContext according
> > to the properties
> > */
> > if
> > (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
> > {
> > ldapEnv.put(Context.SECURITY_AUTHENTICATION,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> > ldapCtx = new InitialDirContext(ldapEnv);
> > }
> > if
> > (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
> > {
> > ldapEnv.put(Context.SECURITY_AUTHENTICATION,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> > ldapEnv.put(Context.SECURITY_PRINCIPAL,
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
> > ldapEnv.put(Context.SECURITY_CREDENTIALS,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
> > ldapCtx = new InitialDirContext(ldapEnv);
> > System.out.println(ldapCtx);
> >
> > }
> > caCertList = new ArrayList();
> > }
> >
> > /**
> > * Singleton certificate factory for this Crypto instance.
> > * <p/>
> > *
> > * @return Returns a <code>CertificateFactory</code> to construct
> > * X509 certficates
> > * @throws org.apache.ws.security.WSSecurityException
> > *
> > */
> > public synchronized CertificateFactory getCertificateFactory() throws
> > WSSecurityException {
> > if (certFact == null) {
> > try {
> >
> > certFact = CertificateFactory.getInstance("X.509");
> >
> > } catch (CertificateException e) {
> > throw new
> > WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> > "unsupportedCertType");
> >
> > }
> > return certFact;
> > }
> > return certFact;
> > }
> >
> > public String getEmailFromDN(String DN) {
> > StringTokenizer stOne = new StringTokenizer(DN, ",");
> > StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(),
> > "=");
> > stTwo.nextToken();
> > return stTwo.nextToken();
> > }
> >
> > public ArrayList getCAS(String caAlias) {
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiCA)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attr =
> > attrs.get("cACertificate;binary");
> > if (attr == null) {
> > return null;
> > } else {
> > Object binary = attr.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > if (caAlias.equals(cert.getSubjectDN().toString()))
> > {
> > caCertList.add(cert);
> > if
> > (cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
> > return caCertList;
> > } else {
> > caCertList =
> > getCAS(cert.getIssuerDN().toString());
> > }
> >
> > }
> > }
> > }
> > }
> > } catch (Exception e) {
> >
> > }
> >
> > return caCertList;
> > }
> >
> > public X509Certificate[] getCertificates(String alias) throws
> > WSSecurityException {
> > ArrayList certList = new ArrayList();
> > ArrayList caCList = new ArrayList();
> >
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext, "cn="
> > + alias, constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attr =
> > attrs.get("userCertificate;binary");
> > if (attr != null) {
> > Object binary = attr.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > certList.add(cert);
> > caCList = getCAS(cert.getIssuerDN().toString());
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> > for (int j = 0; j < caCList.size(); j++) {
> > certList.add(caCList.get(j));
> > }
> > if (certList.size() == 0 || certList == null) {
> > return null;
> > }
> >
> > X509Certificate[] x509certs = new X509Certificate[certList.size()];
> > for (int i = 0; i < certList.size(); i++) {
> > x509certs[i] = (X509Certificate) certList.get(i);
> > }
> > return x509certs;
> > }
> >
> > /**
> > * Return a X509 Certificate alias in the keystore according to a given
> > Certificate
> > * <p/>
> > *
> > * @param cert The certificate to lookup
> > * @return alias name of the certificate that matches the given
> > certificate
> > * or null if no such certificate was found.
> > * <p/>
> > * See comment above
> > * <p/>
> > * See comment above
> > */
> >
> > public String getAliasForX509Cert(Certificate cert) throws
> > WSSecurityException {
> > boolean certFound = false;
> > String alias = null;
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cer;
> > cer = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > if (cer.equals(cert)) {
> > certFound = true;
> > alias = cn;
> > }
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> > String aliasReturn = null;
> > if (certFound) {
> > aliasReturn = alias;
> > }
> > return aliasReturn;
> > }
> >
> > /**
> > * Lookup a X509 Certificate in the keystore according to a given
> > * SubjectKeyIdentifier.
> > * <p/>
> > * The search gets all alias names of the keystore and gets the
> > certificate chain
> > * or certificate for each alias. Then the SKI for each user
> > certificate
> > * is compared with the SKI parameter.
> > *
> > * @param skiBytes The SKI info bytes
> > * @return alias name of the certificate that matches serialNumber and
> > issuer name
> > * or null if no such certificate was found.
> > * @throws org.apache.ws.security.WSSecurityException
> > * if problems during keystore handling or wrong certificate
> > (no SKI data)
> > */
> >
> > public String getAliasForX509Cert(byte[] skiBytes) throws
> > WSSecurityException {
> > String alias = null;
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > byte[] data = getSKIBytesFromCert(cert);
> > if (data.length != skiBytes.length) {
> > continue;
> > }
> > if (Arrays.equals(data, skiBytes)) {
> > alias = cn;
> > return alias;
> > }
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> >
> > return null;
> >
> > }
> >
> >
> > /**
> > * Lookup a X509 Certificate in the keystore according to a given
> > * Thumbprint.
> > * <p/>
> > * The search gets all alias names of the keystore, then reads the
> > certificate chain
> > * or certificate for each alias. Then the thumbprint for each user
> > certificate
> > * is compared with the thumbprint parameter.
> > *
> > * @param thumb The SHA1 thumbprint info bytes
> > * @return alias name of the certificate that matches the thumbprint
> > * or null if no such certificate was found.
> > * @throws org.apache.ws.security.WSSecurityException
> > * if problems during keystore handling or wrong certificate
> > */
> >
> > public String getAliasForX509CertThumb(byte[] thumb) throws
> > WSSecurityException {
> > String alias = null;
> > MessageDigest sha = null;
> >
> > try {
> > sha = MessageDigest.getInstance("SHA-1");
> > } catch (NoSuchAlgorithmException e1) {
> > throw new WSSecurityException(0, "noSHA1availabe");
> > }
> >
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > sha.reset();
> > try {
> > sha.update(cert.getEncoded());
> > } catch (CertificateEncodingException e1) {
> > throw new
> > WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> > "encodeError");
> > }
> > byte[] data = sha.digest();
> >
> > if (Arrays.equals(data, thumb)) {
> > alias = cn;
> > return alias;
> > }
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> >
> > return null;
> > }
> >
> > /**
> > * Lookup X509 Certificates in the keystore according to a given DN of
> > the subject of the certificate
> > * <p/>
> > * The search gets all alias names of the keystore and gets the
> > certificate (chain)
> > * for each alias. Then the DN of the certificate is compared with the
> > parameters.
> > *
> > * @param subjectDN The DN of subject to look for in the keystore
> > * @return Vector with all alias of certificates with the same DN as
> > given in the parameters
> > * @throws org.apache.ws.security.WSSecurityException
> > *
> > */
> > public String[] getAliasesForDN(String subjectDN) throws
> > WSSecurityException {
> >
> > ArrayList aliases = new ArrayList();
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> >
> > Vector subjectRDN = splitAndTrim(subjectDN);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > Vector foundRDN =
> > splitAndTrim(cert.getSubjectDN().getName());
> > if (subjectRDN.equals(foundRDN)) {
> > aliases.add(cn);
> > }
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> >
> > if (aliases.size() != 0) {
> > String[] result = new String[aliases.size()];
> > for (int i = 0; i < aliases.size(); i++) {
> > result[i] = (String) aliases.get(i);
> > }
> > return result;
> > }
> >
> > return null;
> >
> > }
> >
> > public static void main(String[] args) {
> > Properties props = new Properties();
> > String s;
> > Certificate cet[];
> > try {
> > File prop = new File("LDAPCrypto.properties");
> > FileInputStream in = new FileInputStream(prop);
> > props.load(in);
> > in.close();
> > } catch (Exception e) {
> >
> > }
> > try {
> > LDAPCrypto lCrypto1 = new LDAPCrypto(props);
> > try {
> > X509Certificate[] cert =
> > lCrypto1.getCertificates("Lakmal");
> > String[] d =
> > lCrypto1.getAliasesForDN("EMAILADDRESS=lakmal@gmail.com, CN=lakmal, OU=kd,
> > O=LK, L=LAKM, ST=Eastern, C=SL");
> > System.out.println(d[1]);
> >
> > for (int i = 0; i < cert.length; i++) {
> > System.out.println("Subject DN: " +
> > cert[i].getSubjectDN());
> > System.out.println("Alias For cert: " +
> > lCrypto1.getAliasForX509Cert(cert[i]));
> > System.out.println("Alias For ski: " +
> > lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
> > }
> >
> > } catch (Exception f) {
> > f.printStackTrace();
> >
> > }
> >
> > } catch (NamingException n) {
> > n.printStackTrace();
> > }
> > }
> >
> > private Vector splitAndTrim(String inString) {
> > X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
> > Vector vr = new Vector();
> >
> > while (nmTokens.hasMoreTokens()) {
> > vr.add(nmTokens.nextToken());
> > }
> > java.util.Collections.sort(vr);
> > return vr;
> > }
> >
> > /**
> > * Reads the Subject...
> >
> > [Message clipped]
>
>
> --
> www.ruchith.org
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J LDAP Integration
Posted by Ruchith Fernando <ru...@gmail.com>.
Milinda,
Please send a patch (attach it to JIRA) with these changes.
Thanks,
Ruchith
On 7/19/06, Ruchith Fernando <ru...@gmail.com> wrote:
> Hi Milinda,
>
> I couldn't find any usages of the getKeystore() method in WSS4J.
> Therefore IMHO, you can safely throw an UnsupportedOperationException
> there.
>
> getDefaultX509Alias() is used to find the certificate to verify the
> signature when we cannot find the signature certificate from the
> incoming request. Therefore you can use the same approach that Merlin
> used to get this value, where you can load it from the .properties
> file.
>
> I'm not sure about the solution for getPrvateKey() but can we get the
> rest of it completed so we can try to use this with WSS4J to simply
> verify incoming signed messages.
>
> Thanks,
> Ruchith
>
> On 7/19/06, Milinda Lakmal <mi...@yahoo.com> wrote:
> >
> >
> > Hi,
> > I implemented some of the methods in crypto interface.
> > But I have problems with these methods. Can you please reply me if you have
> > any suggestions to these problems.
> >
> > public PrivateKey getPrivateKey(String alias, String password) throws
> > Exception;
> >
> > public String getDefaultX509Alias();
> > What is the default alias when considering the LDAP Certifictae Stroe?
> >
> > public KeyStore getKeyStore();
> > This method realy confused me when regarding the LDAP cert store. When we
> > use ldap cert store this interface cant use.
> >
> > Here is my current implementations:
> > package org.apache.ws.security.components;
> >
> > /**
> > * Created by IntelliJ IDEA.
> > * User: milinda
> > * Date: Jul 18, 2006
> > * Time: 7:35:47 PM
> > * To change this template use File | Settings | File Templates.
> > */
> >
> > import org.apache.ws.security.WSSecurityException;
> >
> > import javax.naming.directory.*;
> > import javax.naming.NamingException;
> > import javax.naming.Context;
> > import javax.naming.NamingEnumeration;
> > import java.security.cert.*;
> > import java.security.NoSuchAlgorithmException;
> > import java.security.MessageDigest;
> > import java.security.PublicKey;
> > import java.security.interfaces.RSAPublicKey;
> > import java.util.*;
> > import java.io.ByteArrayInputStream;
> > import java.io.File;
> > import java.io.FileInputStream;
> >
> > public class LDAPCrypto {
> > protected static CertificateFactory certFact;
> > protected static DirContext ldapCtx;
> > protected static String searchContext;
> > protected Properties properties;
> > protected ArrayList caCertList;
> > static String SKI_OID = "2.5.29.14";
> >
> > /**
> > * Constructor
> > *
> > * @param properties
> > * @throws javax.naming.NamingException
> > */
> >
> > public LDAPCrypto(Properties properties) throws NamingException {
> > /*
> > * if no properties .. just return an instance, the rest will be
> > * done later or this instance is just used to handle certificate
> > * conversions in this implementatio
> > */
> > if (properties == null) {
> > return;
> > }
> > this.properties = properties;
> >
> > searchContext =
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
> > Hashtable ldapEnv = new Hashtable(11);
> > ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
> > ldapEnv.put(Context.PROVIDER_URL,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
> >
> > /**
> > * Look for the authentication type & create DirContext according
> > to the properties
> > */
> > if
> > (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
> > {
> > ldapEnv.put(Context.SECURITY_AUTHENTICATION,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> > ldapCtx = new InitialDirContext(ldapEnv);
> > }
> > if
> > (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
> > {
> > ldapEnv.put(Context.SECURITY_AUTHENTICATION,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> > ldapEnv.put(Context.SECURITY_PRINCIPAL,
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
> > ldapEnv.put(Context.SECURITY_CREDENTIALS,
> >
> > this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
> > ldapCtx = new InitialDirContext(ldapEnv);
> > System.out.println(ldapCtx);
> >
> > }
> > caCertList = new ArrayList();
> > }
> >
> > /**
> > * Singleton certificate factory for this Crypto instance.
> > * <p/>
> > *
> > * @return Returns a <code>CertificateFactory</code> to construct
> > * X509 certficates
> > * @throws org.apache.ws.security.WSSecurityException
> > *
> > */
> > public synchronized CertificateFactory getCertificateFactory() throws
> > WSSecurityException {
> > if (certFact == null) {
> > try {
> >
> > certFact = CertificateFactory.getInstance("X.509");
> >
> > } catch (CertificateException e) {
> > throw new
> > WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> > "unsupportedCertType");
> >
> > }
> > return certFact;
> > }
> > return certFact;
> > }
> >
> > public String getEmailFromDN(String DN) {
> > StringTokenizer stOne = new StringTokenizer(DN, ",");
> > StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(),
> > "=");
> > stTwo.nextToken();
> > return stTwo.nextToken();
> > }
> >
> > public ArrayList getCAS(String caAlias) {
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiCA)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attr =
> > attrs.get("cACertificate;binary");
> > if (attr == null) {
> > return null;
> > } else {
> > Object binary = attr.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > if (caAlias.equals(cert.getSubjectDN().toString()))
> > {
> > caCertList.add(cert);
> > if
> > (cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
> > return caCertList;
> > } else {
> > caCertList =
> > getCAS(cert.getIssuerDN().toString());
> > }
> >
> > }
> > }
> > }
> > }
> > } catch (Exception e) {
> >
> > }
> >
> > return caCertList;
> > }
> >
> > public X509Certificate[] getCertificates(String alias) throws
> > WSSecurityException {
> > ArrayList certList = new ArrayList();
> > ArrayList caCList = new ArrayList();
> >
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext, "cn="
> > + alias, constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attr =
> > attrs.get("userCertificate;binary");
> > if (attr != null) {
> > Object binary = attr.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > certList.add(cert);
> > caCList = getCAS(cert.getIssuerDN().toString());
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> > for (int j = 0; j < caCList.size(); j++) {
> > certList.add(caCList.get(j));
> > }
> > if (certList.size() == 0 || certList == null) {
> > return null;
> > }
> >
> > X509Certificate[] x509certs = new X509Certificate[certList.size()];
> > for (int i = 0; i < certList.size(); i++) {
> > x509certs[i] = (X509Certificate) certList.get(i);
> > }
> > return x509certs;
> > }
> >
> > /**
> > * Return a X509 Certificate alias in the keystore according to a given
> > Certificate
> > * <p/>
> > *
> > * @param cert The certificate to lookup
> > * @return alias name of the certificate that matches the given
> > certificate
> > * or null if no such certificate was found.
> > * <p/>
> > * See comment above
> > * <p/>
> > * See comment above
> > */
> >
> > public String getAliasForX509Cert(Certificate cert) throws
> > WSSecurityException {
> > boolean certFound = false;
> > String alias = null;
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cer;
> > cer = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > if (cer.equals(cert)) {
> > certFound = true;
> > alias = cn;
> > }
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> > String aliasReturn = null;
> > if (certFound) {
> > aliasReturn = alias;
> > }
> > return aliasReturn;
> > }
> >
> > /**
> > * Lookup a X509 Certificate in the keystore according to a given
> > * SubjectKeyIdentifier.
> > * <p/>
> > * The search gets all alias names of the keystore and gets the
> > certificate chain
> > * or certificate for each alias. Then the SKI for each user
> > certificate
> > * is compared with the SKI parameter.
> > *
> > * @param skiBytes The SKI info bytes
> > * @return alias name of the certificate that matches serialNumber and
> > issuer name
> > * or null if no such certificate was found.
> > * @throws org.apache.ws.security.WSSecurityException
> > * if problems during keystore handling or wrong certificate
> > (no SKI data)
> > */
> >
> > public String getAliasForX509Cert(byte[] skiBytes) throws
> > WSSecurityException {
> > String alias = null;
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > byte[] data = getSKIBytesFromCert(cert);
> > if (data.length != skiBytes.length) {
> > continue;
> > }
> > if (Arrays.equals(data, skiBytes)) {
> > alias = cn;
> > return alias;
> > }
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> >
> > return null;
> >
> > }
> >
> >
> > /**
> > * Lookup a X509 Certificate in the keystore according to a given
> > * Thumbprint.
> > * <p/>
> > * The search gets all alias names of the keystore, then reads the
> > certificate chain
> > * or certificate for each alias. Then the thumbprint for each user
> > certificate
> > * is compared with the thumbprint parameter.
> > *
> > * @param thumb The SHA1 thumbprint info bytes
> > * @return alias name of the certificate that matches the thumbprint
> > * or null if no such certificate was found.
> > * @throws org.apache.ws.security.WSSecurityException
> > * if problems during keystore handling or wrong certificate
> > */
> >
> > public String getAliasForX509CertThumb(byte[] thumb) throws
> > WSSecurityException {
> > String alias = null;
> > MessageDigest sha = null;
> >
> > try {
> > sha = MessageDigest.getInstance("SHA-1");
> > } catch (NoSuchAlgorithmException e1) {
> > throw new WSSecurityException(0, "noSHA1availabe");
> > }
> >
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > sha.reset();
> > try {
> > sha.update(cert.getEncoded());
> > } catch (CertificateEncodingException e1) {
> > throw new
> > WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> > "encodeError");
> > }
> > byte[] data = sha.digest();
> >
> > if (Arrays.equals(data, thumb)) {
> > alias = cn;
> > return alias;
> > }
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> >
> > return null;
> > }
> >
> > /**
> > * Lookup X509 Certificates in the keystore according to a given DN of
> > the subject of the certificate
> > * <p/>
> > * The search gets all alias names of the keystore and gets the
> > certificate (chain)
> > * for each alias. Then the DN of the certificate is compared with the
> > parameters.
> > *
> > * @param subjectDN The DN of subject to look for in the keystore
> > * @return Vector with all alias of certificates with the same DN as
> > given in the parameters
> > * @throws org.apache.ws.security.WSSecurityException
> > *
> > */
> > public String[] getAliasesForDN(String subjectDN) throws
> > WSSecurityException {
> >
> > ArrayList aliases = new ArrayList();
> > SearchControls constraints = new SearchControls();
> > constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> >
> > Vector subjectRDN = splitAndTrim(subjectDN);
> > try {
> > NamingEnumeration results = ldapCtx.search(searchContext,
> > "(objectclass=pkiUser)", constraints);
> > while (results != null && results.hasMore()) {
> > SearchResult searchReult = (SearchResult) results.next();
> > javax.naming.directory.Attributes attrs =
> > searchReult.getAttributes();
> > javax.naming.directory.Attribute attrCert
> > = attrs.get("userCertificate;binary");
> > javax.naming.directory.Attribute attrCN =
> > attrs.get("cn");
> > String cn = attrCN.get().toString();
> >
> > if (attrCert != null) {
> > Object binary = attrCert.get();
> > byte[] buffer = (byte[]) binary;
> > CertificateFactory certFact = getCertificateFactory();
> > ByteArrayInputStream binaryIS = new
> > ByteArrayInputStream(buffer);
> > while (binaryIS.available() > 0) {
> > X509Certificate cert;
> > cert = (X509Certificate)
> > certFact.generateCertificate(binaryIS);
> > Vector foundRDN =
> > splitAndTrim(cert.getSubjectDN().getName());
> > if (subjectRDN.equals(foundRDN)) {
> > aliases.add(cn);
> > }
> >
> > }
> > }
> > }
> >
> > } catch (Exception e) {
> >
> > }
> >
> > if (aliases.size() != 0) {
> > String[] result = new String[aliases.size()];
> > for (int i = 0; i < aliases.size(); i++) {
> > result[i] = (String) aliases.get(i);
> > }
> > return result;
> > }
> >
> > return null;
> >
> > }
> >
> > public static void main(String[] args) {
> > Properties props = new Properties();
> > String s;
> > Certificate cet[];
> > try {
> > File prop = new File("LDAPCrypto.properties");
> > FileInputStream in = new FileInputStream(prop);
> > props.load(in);
> > in.close();
> > } catch (Exception e) {
> >
> > }
> > try {
> > LDAPCrypto lCrypto1 = new LDAPCrypto(props);
> > try {
> > X509Certificate[] cert =
> > lCrypto1.getCertificates("Lakmal");
> > String[] d =
> > lCrypto1.getAliasesForDN("EMAILADDRESS=lakmal@gmail.com, CN=lakmal, OU=kd,
> > O=LK, L=LAKM, ST=Eastern, C=SL");
> > System.out.println(d[1]);
> >
> > for (int i = 0; i < cert.length; i++) {
> > System.out.println("Subject DN: " +
> > cert[i].getSubjectDN());
> > System.out.println("Alias For cert: " +
> > lCrypto1.getAliasForX509Cert(cert[i]));
> > System.out.println("Alias For ski: " +
> > lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
> > }
> >
> > } catch (Exception f) {
> > f.printStackTrace();
> >
> > }
> >
> > } catch (NamingException n) {
> > n.printStackTrace();
> > }
> > }
> >
> > private Vector splitAndTrim(String inString) {
> > X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
> > Vector vr = new Vector();
> >
> > while (nmTokens.hasMoreTokens()) {
> > vr.add(nmTokens.nextToken());
> > }
> > java.util.Collections.sort(vr);
> > return vr;
> > }
> >
> > /**
> > * Reads the Subject...
> >
> > [Message clipped]
>
>
> --
> www.ruchith.org
>
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J LDAP Integration
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Milinda,
I couldn't find any usages of the getKeystore() method in WSS4J.
Therefore IMHO, you can safely throw an UnsupportedOperationException
there.
getDefaultX509Alias() is used to find the certificate to verify the
signature when we cannot find the signature certificate from the
incoming request. Therefore you can use the same approach that Merlin
used to get this value, where you can load it from the .properties
file.
I'm not sure about the solution for getPrvateKey() but can we get the
rest of it completed so we can try to use this with WSS4J to simply
verify incoming signed messages.
Thanks,
Ruchith
On 7/19/06, Milinda Lakmal <mi...@yahoo.com> wrote:
>
>
> Hi,
> I implemented some of the methods in crypto interface.
> But I have problems with these methods. Can you please reply me if you have
> any suggestions to these problems.
>
> public PrivateKey getPrivateKey(String alias, String password) throws
> Exception;
>
> public String getDefaultX509Alias();
> What is the default alias when considering the LDAP Certifictae Stroe?
>
> public KeyStore getKeyStore();
> This method realy confused me when regarding the LDAP cert store. When we
> use ldap cert store this interface cant use.
>
> Here is my current implementations:
> package org.apache.ws.security.components;
>
> /**
> * Created by IntelliJ IDEA.
> * User: milinda
> * Date: Jul 18, 2006
> * Time: 7:35:47 PM
> * To change this template use File | Settings | File Templates.
> */
>
> import org.apache.ws.security.WSSecurityException;
>
> import javax.naming.directory.*;
> import javax.naming.NamingException;
> import javax.naming.Context;
> import javax.naming.NamingEnumeration;
> import java.security.cert.*;
> import java.security.NoSuchAlgorithmException;
> import java.security.MessageDigest;
> import java.security.PublicKey;
> import java.security.interfaces.RSAPublicKey;
> import java.util.*;
> import java.io.ByteArrayInputStream;
> import java.io.File;
> import java.io.FileInputStream;
>
> public class LDAPCrypto {
> protected static CertificateFactory certFact;
> protected static DirContext ldapCtx;
> protected static String searchContext;
> protected Properties properties;
> protected ArrayList caCertList;
> static String SKI_OID = "2.5.29.14";
>
> /**
> * Constructor
> *
> * @param properties
> * @throws javax.naming.NamingException
> */
>
> public LDAPCrypto(Properties properties) throws NamingException {
> /*
> * if no properties .. just return an instance, the rest will be
> * done later or this instance is just used to handle certificate
> * conversions in this implementatio
> */
> if (properties == null) {
> return;
> }
> this.properties = properties;
>
> searchContext =
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
> Hashtable ldapEnv = new Hashtable(11);
> ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
> ldapEnv.put(Context.PROVIDER_URL,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
>
> /**
> * Look for the authentication type & create DirContext according
> to the properties
> */
> if
> (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
> {
> ldapEnv.put(Context.SECURITY_AUTHENTICATION,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> ldapCtx = new InitialDirContext(ldapEnv);
> }
> if
> (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
> {
> ldapEnv.put(Context.SECURITY_AUTHENTICATION,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> ldapEnv.put(Context.SECURITY_PRINCIPAL,
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
> ldapEnv.put(Context.SECURITY_CREDENTIALS,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
> ldapCtx = new InitialDirContext(ldapEnv);
> System.out.println(ldapCtx);
>
> }
> caCertList = new ArrayList();
> }
>
> /**
> * Singleton certificate factory for this Crypto instance.
> * <p/>
> *
> * @return Returns a <code>CertificateFactory</code> to construct
> * X509 certficates
> * @throws org.apache.ws.security.WSSecurityException
> *
> */
> public synchronized CertificateFactory getCertificateFactory() throws
> WSSecurityException {
> if (certFact == null) {
> try {
>
> certFact = CertificateFactory.getInstance("X.509");
>
> } catch (CertificateException e) {
> throw new
> WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> "unsupportedCertType");
>
> }
> return certFact;
> }
> return certFact;
> }
>
> public String getEmailFromDN(String DN) {
> StringTokenizer stOne = new StringTokenizer(DN, ",");
> StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(),
> "=");
> stTwo.nextToken();
> return stTwo.nextToken();
> }
>
> public ArrayList getCAS(String caAlias) {
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiCA)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attr =
> attrs.get("cACertificate;binary");
> if (attr == null) {
> return null;
> } else {
> Object binary = attr.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> if (caAlias.equals(cert.getSubjectDN().toString()))
> {
> caCertList.add(cert);
> if
> (cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
> return caCertList;
> } else {
> caCertList =
> getCAS(cert.getIssuerDN().toString());
> }
>
> }
> }
> }
> }
> } catch (Exception e) {
>
> }
>
> return caCertList;
> }
>
> public X509Certificate[] getCertificates(String alias) throws
> WSSecurityException {
> ArrayList certList = new ArrayList();
> ArrayList caCList = new ArrayList();
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext, "cn="
> + alias, constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attr =
> attrs.get("userCertificate;binary");
> if (attr != null) {
> Object binary = attr.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> certList.add(cert);
> caCList = getCAS(cert.getIssuerDN().toString());
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
> for (int j = 0; j < caCList.size(); j++) {
> certList.add(caCList.get(j));
> }
> if (certList.size() == 0 || certList == null) {
> return null;
> }
>
> X509Certificate[] x509certs = new X509Certificate[certList.size()];
> for (int i = 0; i < certList.size(); i++) {
> x509certs[i] = (X509Certificate) certList.get(i);
> }
> return x509certs;
> }
>
> /**
> * Return a X509 Certificate alias in the keystore according to a given
> Certificate
> * <p/>
> *
> * @param cert The certificate to lookup
> * @return alias name of the certificate that matches the given
> certificate
> * or null if no such certificate was found.
> * <p/>
> * See comment above
> * <p/>
> * See comment above
> */
>
> public String getAliasForX509Cert(Certificate cert) throws
> WSSecurityException {
> boolean certFound = false;
> String alias = null;
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cer;
> cer = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> if (cer.equals(cert)) {
> certFound = true;
> alias = cn;
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
> String aliasReturn = null;
> if (certFound) {
> aliasReturn = alias;
> }
> return aliasReturn;
> }
>
> /**
> * Lookup a X509 Certificate in the keystore according to a given
> * SubjectKeyIdentifier.
> * <p/>
> * The search gets all alias names of the keystore and gets the
> certificate chain
> * or certificate for each alias. Then the SKI for each user
> certificate
> * is compared with the SKI parameter.
> *
> * @param skiBytes The SKI info bytes
> * @return alias name of the certificate that matches serialNumber and
> issuer name
> * or null if no such certificate was found.
> * @throws org.apache.ws.security.WSSecurityException
> * if problems during keystore handling or wrong certificate
> (no SKI data)
> */
>
> public String getAliasForX509Cert(byte[] skiBytes) throws
> WSSecurityException {
> String alias = null;
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> byte[] data = getSKIBytesFromCert(cert);
> if (data.length != skiBytes.length) {
> continue;
> }
> if (Arrays.equals(data, skiBytes)) {
> alias = cn;
> return alias;
> }
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> return null;
>
> }
>
>
> /**
> * Lookup a X509 Certificate in the keystore according to a given
> * Thumbprint.
> * <p/>
> * The search gets all alias names of the keystore, then reads the
> certificate chain
> * or certificate for each alias. Then the thumbprint for each user
> certificate
> * is compared with the thumbprint parameter.
> *
> * @param thumb The SHA1 thumbprint info bytes
> * @return alias name of the certificate that matches the thumbprint
> * or null if no such certificate was found.
> * @throws org.apache.ws.security.WSSecurityException
> * if problems during keystore handling or wrong certificate
> */
>
> public String getAliasForX509CertThumb(byte[] thumb) throws
> WSSecurityException {
> String alias = null;
> MessageDigest sha = null;
>
> try {
> sha = MessageDigest.getInstance("SHA-1");
> } catch (NoSuchAlgorithmException e1) {
> throw new WSSecurityException(0, "noSHA1availabe");
> }
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> sha.reset();
> try {
> sha.update(cert.getEncoded());
> } catch (CertificateEncodingException e1) {
> throw new
> WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> "encodeError");
> }
> byte[] data = sha.digest();
>
> if (Arrays.equals(data, thumb)) {
> alias = cn;
> return alias;
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> return null;
> }
>
> /**
> * Lookup X509 Certificates in the keystore according to a given DN of
> the subject of the certificate
> * <p/>
> * The search gets all alias names of the keystore and gets the
> certificate (chain)
> * for each alias. Then the DN of the certificate is compared with the
> parameters.
> *
> * @param subjectDN The DN of subject to look for in the keystore
> * @return Vector with all alias of certificates with the same DN as
> given in the parameters
> * @throws org.apache.ws.security.WSSecurityException
> *
> */
> public String[] getAliasesForDN(String subjectDN) throws
> WSSecurityException {
>
> ArrayList aliases = new ArrayList();
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
>
> Vector subjectRDN = splitAndTrim(subjectDN);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> Vector foundRDN =
> splitAndTrim(cert.getSubjectDN().getName());
> if (subjectRDN.equals(foundRDN)) {
> aliases.add(cn);
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> if (aliases.size() != 0) {
> String[] result = new String[aliases.size()];
> for (int i = 0; i < aliases.size(); i++) {
> result[i] = (String) aliases.get(i);
> }
> return result;
> }
>
> return null;
>
> }
>
> public static void main(String[] args) {
> Properties props = new Properties();
> String s;
> Certificate cet[];
> try {
> File prop = new File("LDAPCrypto.properties");
> FileInputStream in = new FileInputStream(prop);
> props.load(in);
> in.close();
> } catch (Exception e) {
>
> }
> try {
> LDAPCrypto lCrypto1 = new LDAPCrypto(props);
> try {
> X509Certificate[] cert =
> lCrypto1.getCertificates("Lakmal");
> String[] d =
> lCrypto1.getAliasesForDN("EMAILADDRESS=lakmal@gmail.com, CN=lakmal, OU=kd,
> O=LK, L=LAKM, ST=Eastern, C=SL");
> System.out.println(d[1]);
>
> for (int i = 0; i < cert.length; i++) {
> System.out.println("Subject DN: " +
> cert[i].getSubjectDN());
> System.out.println("Alias For cert: " +
> lCrypto1.getAliasForX509Cert(cert[i]));
> System.out.println("Alias For ski: " +
> lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
> }
>
> } catch (Exception f) {
> f.printStackTrace();
>
> }
>
> } catch (NamingException n) {
> n.printStackTrace();
> }
> }
>
> private Vector splitAndTrim(String inString) {
> X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
> Vector vr = new Vector();
>
> while (nmTokens.hasMoreTokens()) {
> vr.add(nmTokens.nextToken());
> }
> java.util.Collections.sort(vr);
> return vr;
> }
>
> /**
> * Reads the Subject...
>
> [Message clipped]
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: WSS4J LDAP Integration
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Milinda,
I couldn't find any usages of the getKeystore() method in WSS4J.
Therefore IMHO, you can safely throw an UnsupportedOperationException
there.
getDefaultX509Alias() is used to find the certificate to verify the
signature when we cannot find the signature certificate from the
incoming request. Therefore you can use the same approach that Merlin
used to get this value, where you can load it from the .properties
file.
I'm not sure about the solution for getPrvateKey() but can we get the
rest of it completed so we can try to use this with WSS4J to simply
verify incoming signed messages.
Thanks,
Ruchith
On 7/19/06, Milinda Lakmal <mi...@yahoo.com> wrote:
>
>
> Hi,
> I implemented some of the methods in crypto interface.
> But I have problems with these methods. Can you please reply me if you have
> any suggestions to these problems.
>
> public PrivateKey getPrivateKey(String alias, String password) throws
> Exception;
>
> public String getDefaultX509Alias();
> What is the default alias when considering the LDAP Certifictae Stroe?
>
> public KeyStore getKeyStore();
> This method realy confused me when regarding the LDAP cert store. When we
> use ldap cert store this interface cant use.
>
> Here is my current implementations:
> package org.apache.ws.security.components;
>
> /**
> * Created by IntelliJ IDEA.
> * User: milinda
> * Date: Jul 18, 2006
> * Time: 7:35:47 PM
> * To change this template use File | Settings | File Templates.
> */
>
> import org.apache.ws.security.WSSecurityException;
>
> import javax.naming.directory.*;
> import javax.naming.NamingException;
> import javax.naming.Context;
> import javax.naming.NamingEnumeration;
> import java.security.cert.*;
> import java.security.NoSuchAlgorithmException;
> import java.security.MessageDigest;
> import java.security.PublicKey;
> import java.security.interfaces.RSAPublicKey;
> import java.util.*;
> import java.io.ByteArrayInputStream;
> import java.io.File;
> import java.io.FileInputStream;
>
> public class LDAPCrypto {
> protected static CertificateFactory certFact;
> protected static DirContext ldapCtx;
> protected static String searchContext;
> protected Properties properties;
> protected ArrayList caCertList;
> static String SKI_OID = "2.5.29.14";
>
> /**
> * Constructor
> *
> * @param properties
> * @throws javax.naming.NamingException
> */
>
> public LDAPCrypto(Properties properties) throws NamingException {
> /*
> * if no properties .. just return an instance, the rest will be
> * done later or this instance is just used to handle certificate
> * conversions in this implementatio
> */
> if (properties == null) {
> return;
> }
> this.properties = properties;
>
> searchContext =
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
> Hashtable ldapEnv = new Hashtable(11);
> ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
> ldapEnv.put(Context.PROVIDER_URL,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
>
> /**
> * Look for the authentication type & create DirContext according
> to the properties
> */
> if
> (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
> {
> ldapEnv.put(Context.SECURITY_AUTHENTICATION,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> ldapCtx = new InitialDirContext(ldapEnv);
> }
> if
> (this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
> {
> ldapEnv.put(Context.SECURITY_AUTHENTICATION,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> ldapEnv.put(Context.SECURITY_PRINCIPAL,
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
> ldapEnv.put(Context.SECURITY_CREDENTIALS,
>
> this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
> ldapCtx = new InitialDirContext(ldapEnv);
> System.out.println(ldapCtx);
>
> }
> caCertList = new ArrayList();
> }
>
> /**
> * Singleton certificate factory for this Crypto instance.
> * <p/>
> *
> * @return Returns a <code>CertificateFactory</code> to construct
> * X509 certficates
> * @throws org.apache.ws.security.WSSecurityException
> *
> */
> public synchronized CertificateFactory getCertificateFactory() throws
> WSSecurityException {
> if (certFact == null) {
> try {
>
> certFact = CertificateFactory.getInstance("X.509");
>
> } catch (CertificateException e) {
> throw new
> WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> "unsupportedCertType");
>
> }
> return certFact;
> }
> return certFact;
> }
>
> public String getEmailFromDN(String DN) {
> StringTokenizer stOne = new StringTokenizer(DN, ",");
> StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(),
> "=");
> stTwo.nextToken();
> return stTwo.nextToken();
> }
>
> public ArrayList getCAS(String caAlias) {
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiCA)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attr =
> attrs.get("cACertificate;binary");
> if (attr == null) {
> return null;
> } else {
> Object binary = attr.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> if (caAlias.equals(cert.getSubjectDN().toString()))
> {
> caCertList.add(cert);
> if
> (cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
> return caCertList;
> } else {
> caCertList =
> getCAS(cert.getIssuerDN().toString());
> }
>
> }
> }
> }
> }
> } catch (Exception e) {
>
> }
>
> return caCertList;
> }
>
> public X509Certificate[] getCertificates(String alias) throws
> WSSecurityException {
> ArrayList certList = new ArrayList();
> ArrayList caCList = new ArrayList();
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext, "cn="
> + alias, constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attr =
> attrs.get("userCertificate;binary");
> if (attr != null) {
> Object binary = attr.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> certList.add(cert);
> caCList = getCAS(cert.getIssuerDN().toString());
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
> for (int j = 0; j < caCList.size(); j++) {
> certList.add(caCList.get(j));
> }
> if (certList.size() == 0 || certList == null) {
> return null;
> }
>
> X509Certificate[] x509certs = new X509Certificate[certList.size()];
> for (int i = 0; i < certList.size(); i++) {
> x509certs[i] = (X509Certificate) certList.get(i);
> }
> return x509certs;
> }
>
> /**
> * Return a X509 Certificate alias in the keystore according to a given
> Certificate
> * <p/>
> *
> * @param cert The certificate to lookup
> * @return alias name of the certificate that matches the given
> certificate
> * or null if no such certificate was found.
> * <p/>
> * See comment above
> * <p/>
> * See comment above
> */
>
> public String getAliasForX509Cert(Certificate cert) throws
> WSSecurityException {
> boolean certFound = false;
> String alias = null;
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cer;
> cer = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> if (cer.equals(cert)) {
> certFound = true;
> alias = cn;
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
> String aliasReturn = null;
> if (certFound) {
> aliasReturn = alias;
> }
> return aliasReturn;
> }
>
> /**
> * Lookup a X509 Certificate in the keystore according to a given
> * SubjectKeyIdentifier.
> * <p/>
> * The search gets all alias names of the keystore and gets the
> certificate chain
> * or certificate for each alias. Then the SKI for each user
> certificate
> * is compared with the SKI parameter.
> *
> * @param skiBytes The SKI info bytes
> * @return alias name of the certificate that matches serialNumber and
> issuer name
> * or null if no such certificate was found.
> * @throws org.apache.ws.security.WSSecurityException
> * if problems during keystore handling or wrong certificate
> (no SKI data)
> */
>
> public String getAliasForX509Cert(byte[] skiBytes) throws
> WSSecurityException {
> String alias = null;
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> byte[] data = getSKIBytesFromCert(cert);
> if (data.length != skiBytes.length) {
> continue;
> }
> if (Arrays.equals(data, skiBytes)) {
> alias = cn;
> return alias;
> }
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> return null;
>
> }
>
>
> /**
> * Lookup a X509 Certificate in the keystore according to a given
> * Thumbprint.
> * <p/>
> * The search gets all alias names of the keystore, then reads the
> certificate chain
> * or certificate for each alias. Then the thumbprint for each user
> certificate
> * is compared with the thumbprint parameter.
> *
> * @param thumb The SHA1 thumbprint info bytes
> * @return alias name of the certificate that matches the thumbprint
> * or null if no such certificate was found.
> * @throws org.apache.ws.security.WSSecurityException
> * if problems during keystore handling or wrong certificate
> */
>
> public String getAliasForX509CertThumb(byte[] thumb) throws
> WSSecurityException {
> String alias = null;
> MessageDigest sha = null;
>
> try {
> sha = MessageDigest.getInstance("SHA-1");
> } catch (NoSuchAlgorithmException e1) {
> throw new WSSecurityException(0, "noSHA1availabe");
> }
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> sha.reset();
> try {
> sha.update(cert.getEncoded());
> } catch (CertificateEncodingException e1) {
> throw new
> WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> "encodeError");
> }
> byte[] data = sha.digest();
>
> if (Arrays.equals(data, thumb)) {
> alias = cn;
> return alias;
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> return null;
> }
>
> /**
> * Lookup X509 Certificates in the keystore according to a given DN of
> the subject of the certificate
> * <p/>
> * The search gets all alias names of the keystore and gets the
> certificate (chain)
> * for each alias. Then the DN of the certificate is compared with the
> parameters.
> *
> * @param subjectDN The DN of subject to look for in the keystore
> * @return Vector with all alias of certificates with the same DN as
> given in the parameters
> * @throws org.apache.ws.security.WSSecurityException
> *
> */
> public String[] getAliasesForDN(String subjectDN) throws
> WSSecurityException {
>
> ArrayList aliases = new ArrayList();
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
>
> Vector subjectRDN = splitAndTrim(subjectDN);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> Vector foundRDN =
> splitAndTrim(cert.getSubjectDN().getName());
> if (subjectRDN.equals(foundRDN)) {
> aliases.add(cn);
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> if (aliases.size() != 0) {
> String[] result = new String[aliases.size()];
> for (int i = 0; i < aliases.size(); i++) {
> result[i] = (String) aliases.get(i);
> }
> return result;
> }
>
> return null;
>
> }
>
> public static void main(String[] args) {
> Properties props = new Properties();
> String s;
> Certificate cet[];
> try {
> File prop = new File("LDAPCrypto.properties");
> FileInputStream in = new FileInputStream(prop);
> props.load(in);
> in.close();
> } catch (Exception e) {
>
> }
> try {
> LDAPCrypto lCrypto1 = new LDAPCrypto(props);
> try {
> X509Certificate[] cert =
> lCrypto1.getCertificates("Lakmal");
> String[] d =
> lCrypto1.getAliasesForDN("EMAILADDRESS=lakmal@gmail.com, CN=lakmal, OU=kd,
> O=LK, L=LAKM, ST=Eastern, C=SL");
> System.out.println(d[1]);
>
> for (int i = 0; i < cert.length; i++) {
> System.out.println("Subject DN: " +
> cert[i].getSubjectDN());
> System.out.println("Alias For cert: " +
> lCrypto1.getAliasForX509Cert(cert[i]));
> System.out.println("Alias For ski: " +
> lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
> }
>
> } catch (Exception f) {
> f.printStackTrace();
>
> }
>
> } catch (NamingException n) {
> n.printStackTrace();
> }
> }
>
> private Vector splitAndTrim(String inString) {
> X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
> Vector vr = new Vector();
>
> while (nmTokens.hasMoreTokens()) {
> vr.add(nmTokens.nextToken());
> }
> java.util.Collections.sort(vr);
> return vr;
> }
>
> /**
> * Reads the Subject...
>
> [Message clipped]
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org