You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by shams jawaid <sh...@hotmail.com> on 2007/09/16 23:31:08 UTC
Re: [wsf-php-user] Re: [RAMPART / WSF PHP ] [KEYS]
Hi kaushalye,
my service was not decrypting and validating at the server side, so i tried
to use the ws02 keystore explorer:
http://ww2.wso2.org:12080/kse/ShowMain.action
which is supposed to be able to output the private key in .pem format. i
downloaded a copy of rampart 1.3, and got a new set of client.jks and
service.jks.So for encyption and signature i needed the client side key and
the client + server certificates.
i first extracted the private key using the ws02 keystore explorer, and i do
see the output for the client.jks - client private key, and i save the
output text from notepad in a .pem extension. although i dont know if this
is the right way to save a private key , just renaming a text file..but i
could not find any other way.
so i saved my client side private key and then i went about exporting my
server side and client side certificates that were required for encryption
and signature. i used the keytool commands to export the client and server
certificates, saved them in notepad and renamed them to a .cert extension.
is this the right way to save a certificate?
then i made a link to them in my php client, but again, i dont see any
output and when i change back to the sample keys provided in wsf samples, it
works. what is going wrong here? are the rampart sample keys corrupted? i
checked their validation date, and they are still valid. i have attached the
rampart sample keys iv been trying to use, and my client side private key
output that i saved from the ws02 keystore explorer and the keytool commands
i used to export the certificates in a text file. if you can see any error
please let me know,
many thanks!
>From: Kaushalye Kapuruge <ka...@wso2.com>
>Reply-To: rampart-dev@ws.apache.org
>To: wsf-php-user@wso2.org
>CC: rampart-dev@ws.apache.org
>Subject: Re: [wsf-php-user] Re: [RAMPART / WSF PHP ] [ Files Included ]
>Date: Fri, 14 Sep 2007 17:47:21 +0530
>
>Hi Shams,
>We tried your sample with your keys. There is a failure in the client side.
>According to the log, the client's private key is not valid. May be it's
>corrupted during the conversion.
>Also I tried a simple openssl command to sign.
>
>openssl dgst -sha1 -sign clientkey.pem -out mytextfile.sha1 mytextfile
>
>Again your key failed, where this worked for other private keys I have.
>So there is no point of worrying about security policies. Can you try to
>use the sample key/certificate pairs[1] available in the samples. You can
>easily import them into the java key store using the keytool[2].
>Cheers,
>Kaushalye
>[1]wsf-php-1.0.0/samples/security/keys
>[2]http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
>
>
>shams jawaid wrote:
>>Hi guys,
>>
>>here are all the files, i had to reduce the size so its under 1mb, but if
>>you need anything else, let me know. Once agian, thanks for all your help!
>>its is greatly appreciated! :D
>>
>>
>>>From: Kaushalye Kapuruge <ka...@wso2.com>
>>>Reply-To: wsf-php-user@wso2.org
>>>To: rampart-dev@ws.apache.org
>>>CC: wsf-php-user@wso2.org
>>>Subject: [wsf-php-user] Re: [RAMPART / WSF PHP ]
>>>Date: Fri, 14 Sep 2007 10:14:52 +0530
>>>
>>>Hi Shams,
>>>Could you please send us followings, we will try to run it in our end see
>>>if there are errors. 'Coz sometimes the information you are giving is not
>>>sufficient to locate the error.
>>>1. PHP Client
>>>2. Client's private key and the certificate
>>>3. Server's keystore+aliases+passwords, certificate(exported)
>>>4. Client's policy file
>>>5. Server's service.xml file
>>>6. Log files and the SOAP message trace of your last attempt(when you
>>>enable encryption and signing).
>>>Cheers,
>>>Kaushalye
>>>
>>>
>>>shams jawaid wrote:
>>>>Hi ,
>>>>
>>>>i am curenlty trying to encrypt and sign messages from my php client
>>>>using WSF PHP extension and the rampart policy assertion, but get no
>>>>output at all .. if anyone can identify flaws in my policy.xml linked
>>>>into my php client and the services.xml file in my axis2/java webservice
>>>>META-INF folder please let me know:
>>>>
>>>>services.xml:
>>>>
>>>><service name="HealthCareServiceTest1" scope="application">
>>>> <description>
>>>> Health Care Service test
>>>> </description>
>>>>
>>>>
>>>>
>>>> <messageReceivers>
>>>> <messageReceiver
>>>> mep="http://www.w3.org/2004/08/wsdl/in-out"
>>>> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
>>>>
>>>>
>>>><messageReceiver
>>>> mep="http://www.w3.org/2004/08/wsdl/in-only"
>>>> class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
>>>>
>>>>
>>>>
>>>><messageReceiver
>>>> mep="http://www.w3.org/2004/08/wsdl/in-out"
>>>> class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
>>>> </messageReceivers>
>>>>
>>>> <parameter name="ServiceClass" locked="false">org.health</parameter>
>>>>
>>>>
>>>> <module ref="rampart" />
>>>><module ref="addressing" />
>>>><wsp:Policy wsu:Id="SigEncr"
>>>>xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>>xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
>>>><wsp:ExactlyOne>
>>>><wsp:All>
>>>><sp:AsymmetricBinding
>>>>xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>><wsp:Policy>
>>>><sp:InitiatorToken>
>>>><wsp:Policy>
>>>><sp:X509Token
>>>>sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>>>
>>>>
>>>><wsp:Policy>
>>>><sp:WssX509V3Token10 />
>>>></wsp:Policy>
>>>></sp:X509Token>
>>>></wsp:Policy>
>>>></sp:InitiatorToken>
>>>><sp:RecipientToken>
>>>><wsp:Policy>
>>>><sp:X509Token
>>>>sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>>>>
>>>>
>>>><wsp:Policy>
>>>><sp:WssX509V3Token10 />
>>>></wsp:Policy>
>>>></sp:X509Token>
>>>></wsp:Policy>
>>>></sp:RecipientToken>
>>>><sp:AlgorithmSuite>
>>>><wsp:Policy>
>>>><sp:TripleDesRsa15 />
>>>></wsp:Policy>
>>>></sp:AlgorithmSuite>
>>>><sp:Layout>
>>>><wsp:Policy>
>>>><sp:Strict />
>>>></wsp:Policy>
>>>></sp:Layout>
>>>><sp:IncludeTimestamp />
>>>><sp:EncryptBeforeSigning/>
>>>><sp:OnlySignEntireHeadersAndBody />
>>>></wsp:Policy>
>>>></sp:AsymmetricBinding>
>>>><sp:Wss10
>>>>xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>><wsp:Policy>
>>>><sp:MustSupportRefKeyIdentifier />
>>>><sp:MustSupportRefIssuerSerial />
>>>></wsp:Policy>
>>>></sp:Wss10>
>>>><sp:EncryptedParts
>>>>xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>><sp:Body/>
>>>></sp:EncryptedParts>
>>>><sp:SignedParts
>>>>xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>><sp:Body/>
>>>></sp:SignedParts>
>>>><ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
>>>><ramp:user>service</ramp:user>
>>>>
>>>><ramp:encryptionUser>client</ramp:encryptionUser>
>>>><ramp:passwordCallbackClass>org.PWCBHandler</ramp:passwordCallbackClass>
>>>>
>>>><ramp:signatureCrypto>
>>>><ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>>><ramp:property
>>>>name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>>>>
>>>>
>>>><ramp:property
>>>>name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>>>>
>>>>
>>>><ramp:property
>>>>name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>>>>
>>>>
>>>></ramp:crypto>
>>>></ramp:signatureCrypto>
>>>><ramp:encryptionCypto>
>>>><ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>>>><ramp:property
>>>>name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>>>>
>>>>
>>>><ramp:property
>>>>name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
>>>>
>>>>
>>>><ramp:property
>>>>name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
>>>>
>>>>
>>>></ramp:crypto>
>>>></ramp:encryptionCypto>
>>>></ramp:RampartConfig>
>>>></wsp:All>
>>>></wsp:ExactlyOne>
>>>></wsp:Policy>
>>>></service>
>>>>
>>>>policy.xml:
>>>>
>>>><wsp:Policy xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
>>>><wsp:ExactlyOne>
>>>><wsp:All>
>>>><sp:AsymmetricBinding
>>>>xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>>>><wsp:Policy>
>>>><sp:InitiatorToken>
>>>><wsp:Policy>
>>>><sp:X509Token
>>>>sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
>>>>
>>>>
>>>><wsp:Policy>
>>>><sp:WssX509V3Token10 />
>>>></wsp:Policy>
>>>></sp:X509Token>
>>>></wsp:Policy>
>>>></sp:InitiatorToken>
>>>><sp:RecipientToken>
>>>><wsp:Policy>
>>>><sp:X509Token
>>>>sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
>>>>
>>>>
>>>><wsp:Policy>
>>>><sp:WssX509V3Token10 />
>>>></wsp:Policy>
>>>></sp:X509Token>
>>>></wsp:Policy>
>>>></sp:RecipientToken>
>>>><sp:AlgorithmSuite>
>>>><wsp:Policy>
>>>><sp:Basic256Rsa15 />
>>>></wsp:Policy>
>>>></sp:AlgorithmSuite>
>>>><sp:Layout>
>>>><wsp:Policy>
>>>><sp:Strict />
>>>></wsp:Policy>
>>>></sp:Layout>
>>>><sp:IncludeTimestamp />
>>>><sp:EncryptBeforeSigning />
>>>><sp:OnlySignEntireHeadersAndBody />
>>>></wsp:Policy>
>>>></sp:AsymmetricBinding>
>>>><sp:Wss10
>>>>xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>>>><wsp:Policy>
>>>><sp:MustSupportRefIssuerSerial />
>>>></wsp:Policy>
>>>></sp:Wss10>
>>>><sp:EncryptedParts
>>>>xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>>>><sp:Body/>
>>>></sp:EncryptedParts>
>>>><sp:SignedParts
>>>>xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>>>><sp:Body/>
>>>></sp:SignedParts>
>>>></wsp:All>
>>>></wsp:ExactlyOne>
>>>></wsp:Policy>
>>>>
>>>>
>>>>
>>>>with this setting i get no output at all..
>>>>however, if i remove the
>>>>
>>>><sp:EncryptedParts
>>>>xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>>>><sp:Body/>
>>>></sp:EncryptedParts>
>>>><sp:SignedParts
>>>>xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>>>><sp:Body/>
>>>></sp:SignedParts>
>>>>
>>>>part in the policy.xml, i get output, with a timestamp but no encryption
>>>>or signature..
>>>>and the timestamp has the error:
>>>>
>>>>WSSecurityEngine: Invalid timestamp The security semantics of message
>>>>have expired
>>>>
>>>> <wsu:Created>2007-09-14T03:16:30.046Z</wsu:Created>
>>>> <wsu:Expires>2007-09-14T03:16:30.046Z</wsu:Expires>
>>>>
>>>>WSSecurityEngine: Invalid timestamp The security semantics of message
>>>>have expired
>>>>
>>>>the time 3:16 is the same as my windows clock, although i had to uncheck
>>>>the "autoamcically adjust the clock for daylight saving changes" setting
>>>>in the windows time settings. if that was on, my windows time would
>>>>always be one hour ahead of the timestamp created. i am using a php
>>>>client, so just thought id mention that, if i use the php date and time
>>>>functions,
>>>>
>>>>echo date();
>>>>
>>>>it always gives me the time one hour ahead.. i know a mismatch in time
>>>>in the client and server can cause an invalid timestamp error, but for
>>>>now my windows time does match the time stated in the timestamp soap
>>>>messages. is there any idea why im getting this error? or is there any
>>>>faults in my services/policy.xml files?
>>>>
>>>>please help!
>>>>
>>>>thanks alot!
>>>>
>>>>_________________________________________________________________
>>>>Can you see your house from the sky? Try Live Search Maps
>>>>http://maps.live.com
>>>>
>>>>
>>>
>>>
>>>--
>>>http://kaushalye.blogspot.com/
>>>http://wso2.org/
>>>
>>>
>>>_______________________________________________
>>>Wsf-php-user mailing list
>>>Wsf-php-user@wso2.org
>>>http://wso2.org/cgi-bin/mailman/listinfo/wsf-php-user
>>
>>_________________________________________________________________
>>The next generation of Hotmail is here! http://www.newhotmail.co.uk
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Wsf-php-user mailing list
>>Wsf-php-user@wso2.org
>>http://wso2.org/cgi-bin/mailman/listinfo/wsf-php-user
>>
>
>
>--
>http://kaushalye.blogspot.com/
>http://wso2.org/
>
_________________________________________________________________
Get Pimped! FREE emoticon packs from Windows Live -
http://www.pimpmylive.co.uk