You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Ostermueller, Erik" <Er...@fnis.com> on 2008/06/20 00:22:31 UTC
Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
I wrote:
>>> So, some help launching the tests would be nice.
...replying to self. Here is doc for windoze:
Unzip these files to a blank directory:
wss4j-otherjars-1.5.4.zip
wss4j-bin-1.5.4.zip
wss4j-src-1.5.4.zip
In one window, run "ant tcpmon"
In a separate window, run "ant -DNumber=4 scenarioTest"
I apologize for the extra noise if this is already documented outside the build file for the src.
--Erik
-----Original Message-----
From: Dittmann, Werner (NSN - DE/Muenich) [mailto:werner.dittmann@nsn.com]
Sent: Thursday, June 26, 2008 1:23 AM
To: Ostermueller, Erik; Patrick J Kobly
Cc: wss4j-dev@ws.apache.org
Subject: AW: Need help figuring out CryptoBase#getCertificates(alias)
Erik,
the WSS4J library and the associated Axis-1 and Axis-2 drivers implement
(most) of the OASIS Web Service Security specifications which in turn re-use the XML signature and XML encryption specs published by W3C. Thus to fully understand the principles behind WSS4J you should refer to the OASIS specs. These specs define so called profiles that define when and how to use cerificates (or not) and their interaction with encryption, encrypted keys, passwords and so on.
Using Web Service Security needs careful planning of the required steps and the required security (as you pointed out in your e-mail). On top of that it is IMHO necessary to understand the basic principles of the OASIS specifications to see what is possible and what's not possible.
The WSS4J source tree contains documentation and programs the implement the interoperaibilty tests. These tests use various forms on encryption, signature, etc. Maybe these programs and docs can support your activities.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
> Gesendet: Mittwoch, 25. Juni 2008 21:12
> An: Patrick J Kobly
> Cc: wss4j-dev@ws.apache.org
> Betreff: RE: Need help figuring out CryptoBase#getCertificates(alias)
>
> Patrick wrote:
> >> How is it that you'd expect to get a certificate for / related to a
> symmetric key?
> >> What would you expect such a certificate to look like?
> >> What would you expect a signature using only a symmetric key would
> look like?
>
> Those are good questions. I was expecting a certificate b/c the code
> was expecting a certificate and I didn't know any better.
> If no certs are found, this CryptoBase#getCertificates(alias) method
> returns a null which triggers an exception downstream.
> So I learned that "if symmetric algorithm --> then certificates are
> not relevant/used."
>
> That leads to my back to the original problem of how do you sign
> something when using symmetric keys.
> I just checked and the xml sig spec allows for this. When signing
> with symmetric key, the sig is called a message authentication
> code/mac.
> The wss4j test referenced below looks like it configured to do all
> this.
>
>
> Is there a doc somewhere that that tells how to run the tests? I'd
> like to verify whether this is a currently supported test and is
> working correctly?
> Then, I'll have to figure out why this axis-based 'mac' example works
> and my cxf-based mac example is stuck looking for non-existant
> certificates.
>
> So, some help launching the tests would be nice.
>
> --Erik
>
>
>
> ________________________________
>
> From: Patrick J Kobly [mailto:patrick@kobly.com]
> Sent: Tuesday, June 24, 2008 3:31 PM
> To: Ostermueller, Erik
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: Need help figuring out CryptoBase#getCertificates(alias)
>
>
> How is it that you'd expect to get a certificate for / related to a
> symmetric key? What would you expect such a certificate to look like?
> What would you expect a signature using only a symmetric key would
> look like?
>
> The discussion related to the embedded key stuff relates (predictably)
> only to encryption and not to signature (as would be expected of any
> symmetric scheme), yet you seem to be trying to do signature stuff...
>
> What is it you are trying to accomplish here?
>
> PK
>
> Ostermueller, Erik wrote:
>
> Whoops! Previous file is bad. Try this one:
> http://www.mediafire.com/?d3hx342xtxm
>
> The new file name is symmetric-encryption3.zip
>
> ________________________________
>
> From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
> Sent: Tuesday, June 24, 2008 2:21 PM
> To: wss4j-dev@ws.apache.org
> Subject: RE: Need help figuring out
> CryptoBase#getCertificates(alias)
>
>
> ok, I've re-worked my example ( download the little zip file
> here: http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j
> symmetric encryption example referenced in this thread:
> http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20sym
> metric+pag
> e:1+mid:wqeg3cluw4cn2fr3+state:results
> <BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:w
> ss4j%20sym
> metric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
>
> To get this example running, just configure the stuff in
> bin/setenv.cmd and run "ant client"
> No need to run the server -- it fails before it gets there with the
> message: Unexpected number of X509Data: for Signature
> So the error hasn't changed, but it is tough to tell whether I've got
> this configured correctly.
>
> At the top of the method CryptoBase.getCertificates(alias), the
> methods isKeyEntry(), containsAlias(), getKey() and the enum aliases
> on CryptoBase.keystore all seem to contain the right alias/key data.
>
> As far as I can see, the issue is that the methods mentioned above on
> the CryptoBase.keystore instance return good-looking data but the
> method getCertificateChain(alias) -- on the exact same instance --
> retuns null.
>
> Thanks,
> --Erik
>
>
>
>
>
> --
>
>
> Patrick Kobly, CISSP
>
> T: 403-274-9033
>
> C: 403-463-6141
>
> F: 866-786-9459
>
> 56 388 Sandarac Dr NW
> Calgary, Alberta
> T3K 4E3
> http://www.kobly.com
> <!--[if !supportLineBreakNewLine]-->
> <!--[endif]-->
>
> ______________
>
> The information contained in this message is proprietary and/or
> confidential. If you are not the intended recipient, please: (i)
> delete the message and all copies; (ii) do not disclose, distribute or
> use the message in any manner; and (iii) notify the sender
> immediately. In addition, please be aware that any message addressed
> to our domain is subject to archiving and review by persons other than
> the intended recipient. Thank you.
> _____________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
_____________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
AW: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Dittmann, Werner (NSN - DE/Muenich)" <we...@nsn.com>.
Erik,
the WSS4J library and the associated Axis-1 and Axis-2 drivers implement
(most) of the OASIS Web Service Security specifications
which in turn re-use the XML signature and XML encryption specs published
by W3C. Thus to fully understand the principles behind WSS4J you should
refer to the OASIS specs. These specs define so called profiles that
define when and how to use cerificates (or not) and their interaction
with encryption, encrypted keys, passwords and so on.
Using Web Service Security needs careful planning of the required steps
and the required security (as you pointed out in your e-mail). On top of
that it is IMHO necessary to understand the basic principles of the
OASIS specifications to see what is possible and what's not possible.
The WSS4J source tree contains documentation and programs the implement
the interoperaibilty tests. These tests use various forms on encryption,
signature, etc. Maybe these programs and docs can support your activities.
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
> Gesendet: Mittwoch, 25. Juni 2008 21:12
> An: Patrick J Kobly
> Cc: wss4j-dev@ws.apache.org
> Betreff: RE: Need help figuring out CryptoBase#getCertificates(alias)
>
> Patrick wrote:
> >> How is it that you'd expect to get a certificate for / related to a
> symmetric key?
> >> What would you expect such a certificate to look like?
> >> What would you expect a signature using only a symmetric key would
> look like?
>
> Those are good questions. I was expecting a certificate b/c the code
> was expecting a certificate and I didn't know any better.
> If no certs are found, this CryptoBase#getCertificates(alias) method
> returns a null which triggers an exception downstream.
> So I learned that "if symmetric algorithm --> then
> certificates are not
> relevant/used."
>
> That leads to my back to the original problem of how do you sign
> something when using symmetric keys.
> I just checked and the xml sig spec allows for this. When
> signing with
> symmetric key, the sig is called a message authentication code/mac.
> The wss4j test referenced below looks like it configured to
> do all this.
>
>
> Is there a doc somewhere that that tells how to run the
> tests? I'd like
> to verify whether this is a currently supported test and is working
> correctly?
> Then, I'll have to figure out why this axis-based 'mac' example works
> and my cxf-based mac example is stuck looking for non-existant
> certificates.
>
> So, some help launching the tests would be nice.
>
> --Erik
>
>
>
> ________________________________
>
> From: Patrick J Kobly [mailto:patrick@kobly.com]
> Sent: Tuesday, June 24, 2008 3:31 PM
> To: Ostermueller, Erik
> Cc: wss4j-dev@ws.apache.org
> Subject: Re: Need help figuring out CryptoBase#getCertificates(alias)
>
>
> How is it that you'd expect to get a certificate for / related to a
> symmetric key? What would you expect such a certificate to look like?
> What would you expect a signature using only a symmetric key
> would look
> like?
>
> The discussion related to the embedded key stuff relates (predictably)
> only to encryption and not to signature (as would be expected of any
> symmetric scheme), yet you seem to be trying to do signature stuff...
>
> What is it you are trying to accomplish here?
>
> PK
>
> Ostermueller, Erik wrote:
>
> Whoops! Previous file is bad. Try this one:
> http://www.mediafire.com/?d3hx342xtxm
>
> The new file name is symmetric-encryption3.zip
>
> ________________________________
>
> From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
> Sent: Tuesday, June 24, 2008 2:21 PM
> To: wss4j-dev@ws.apache.org
> Subject: RE: Need help figuring out
> CryptoBase#getCertificates(alias)
>
>
> ok, I've re-worked my example ( download the little zip file
> here: http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j
> symmetric encryption example referenced in this thread:
> http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20sym
> metric+pag
> e:1+mid:wqeg3cluw4cn2fr3+state:results
> <BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:w
> ss4j%20sym
> metric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
>
> To get this example running, just configure the stuff in
> bin/setenv.cmd and run "ant client"
> No need to run the server -- it fails before it gets there with
> the message: Unexpected number of X509Data: for Signature
> So the error hasn't changed, but it is tough to tell whether
> I've got this configured correctly.
>
> At the top of the method CryptoBase.getCertificates(alias), the
> methods isKeyEntry(), containsAlias(), getKey() and the enum
> aliases on
> CryptoBase.keystore all seem to contain the right alias/key data.
>
> As far as I can see, the issue is that the methods mentioned
> above on the CryptoBase.keystore instance return good-looking data but
> the method getCertificateChain(alias) -- on the exact same instance --
> retuns null.
>
> Thanks,
> --Erik
>
>
>
>
>
> --
>
>
> Patrick Kobly, CISSP
>
> T: 403-274-9033
>
> C: 403-463-6141
>
> F: 866-786-9459
>
> 56 388 Sandarac Dr NW
> Calgary, Alberta
> T3K 4E3
> http://www.kobly.com
> <!--[if !supportLineBreakNewLine]-->
> <!--[endif]-->
>
> ______________
>
> The information contained in this message is proprietary
> and/or confidential. If you are not the
> intended recipient, please: (i) delete the message and all
> copies; (ii) do not disclose,
> distribute or use the message in any manner; and (iii) notify
> the sender immediately. In addition,
> please be aware that any message addressed to our domain is
> subject to archiving and review by
> persons other than the intended recipient. Thank you.
> _____________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
Patrick wrote:
>> How is it that you'd expect to get a certificate for / related to a
symmetric key?
>> What would you expect such a certificate to look like?
>> What would you expect a signature using only a symmetric key would
look like?
Those are good questions. I was expecting a certificate b/c the code
was expecting a certificate and I didn't know any better.
If no certs are found, this CryptoBase#getCertificates(alias) method
returns a null which triggers an exception downstream.
So I learned that "if symmetric algorithm --> then certificates are not
relevant/used."
That leads to my back to the original problem of how do you sign
something when using symmetric keys.
I just checked and the xml sig spec allows for this. When signing with
symmetric key, the sig is called a message authentication code/mac.
The wss4j test referenced below looks like it configured to do all this.
Is there a doc somewhere that that tells how to run the tests? I'd like
to verify whether this is a currently supported test and is working
correctly?
Then, I'll have to figure out why this axis-based 'mac' example works
and my cxf-based mac example is stuck looking for non-existant
certificates.
So, some help launching the tests would be nice.
--Erik
________________________________
From: Patrick J Kobly [mailto:patrick@kobly.com]
Sent: Tuesday, June 24, 2008 3:31 PM
To: Ostermueller, Erik
Cc: wss4j-dev@ws.apache.org
Subject: Re: Need help figuring out CryptoBase#getCertificates(alias)
How is it that you'd expect to get a certificate for / related to a
symmetric key? What would you expect such a certificate to look like?
What would you expect a signature using only a symmetric key would look
like?
The discussion related to the embedded key stuff relates (predictably)
only to encryption and not to signature (as would be expected of any
symmetric scheme), yet you seem to be trying to do signature stuff...
What is it you are trying to accomplish here?
PK
Ostermueller, Erik wrote:
Whoops! Previous file is bad. Try this one:
http://www.mediafire.com/?d3hx342xtxm
The new file name is symmetric-encryption3.zip
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Tuesday, June 24, 2008 2:21 PM
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
ok, I've re-worked my example ( download the little zip file
here: http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j
symmetric encryption example referenced in this thread:
http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag
e:1+mid:wqeg3cluw4cn2fr3+state:results
<BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20sym
metric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
To get this example running, just configure the stuff in
bin/setenv.cmd and run "ant client"
No need to run the server -- it fails before it gets there with
the message: Unexpected number of X509Data: for Signature
So the error hasn't changed, but it is tough to tell whether
I've got this configured correctly.
At the top of the method CryptoBase.getCertificates(alias), the
methods isKeyEntry(), containsAlias(), getKey() and the enum aliases on
CryptoBase.keystore all seem to contain the right alias/key data.
As far as I can see, the issue is that the methods mentioned
above on the CryptoBase.keystore instance return good-looking data but
the method getCertificateChain(alias) -- on the exact same instance --
retuns null.
Thanks,
--Erik
--
Patrick Kobly, CISSP
T: 403-274-9033
C: 403-463-6141
F: 866-786-9459
56 388 Sandarac Dr NW
Calgary, Alberta
T3K 4E3
http://www.kobly.com
<!--[if !supportLineBreakNewLine]-->
<!--[endif]-->
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Re: Need help figuring out CryptoBase#getCertificates(alias)
Posted by Patrick J Kobly <pa...@kobly.com>.
How is it that you'd expect to get a certificate for / related to a
symmetric key? What would you expect such a certificate to look like?
What would you expect a signature using only a symmetric key would look
like?
The discussion related to the embedded key stuff relates (predictably)
only to encryption and not to signature (as would be expected of any
symmetric scheme), yet you seem to be trying to do signature stuff...
What is it you are trying to accomplish here?
PK
Ostermueller, Erik wrote:
> Whoops! Previous file is bad. Try this one:
> http://www.mediafire.com/?d3hx342xtxm
>
> The new file name is symmetric-encryption3.zip
> ------------------------------------------------------------------------
> *From:* Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
> *Sent:* Tuesday, June 24, 2008 2:21 PM
> *To:* wss4j-dev@ws.apache.org
> *Subject:* RE: Need help figuring out CryptoBase#getCertificates(alias)
>
> ok, I've re-worked my example ( download the little zip file here:
> http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j symmetric
> encryption example referenced in this thread:
> http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+page:1+mid:wqeg3cluw4cn2fr3+state:results
> <BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
>
> To get this example running, just configure the stuff in
> bin/setenv.cmd and run "ant client"
> No need to run the server -- it fails before it gets there with the
> message: Unexpected number of X509Data: for Signature
> So the error hasn't changed, but it is tough to tell whether I've got
> this configured correctly.
>
> At the top of the method CryptoBase.getCertificates(alias), the
> methods isKeyEntry(), containsAlias(), getKey() and the enum aliases
> on CryptoBase.keystore all seem to contain the right alias/key data.
>
> As far as I can see, the issue is that the methods mentioned above
> on the CryptoBase.keystore instance return good-looking data but the
> method getCertificateChain(alias) -- on the exact same instance --
> retuns null.
>
> Thanks,
> --Erik
>
>
--
Patrick Kobly, CISSP
T: 403-274-9033
C: 403-463-6141
F: 866-786-9459
56 388 Sandarac Dr NW
Calgary, Alberta
T3K 4E3
http://www.kobly.com
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
Whoops! Previous file is bad. Try this one:
http://www.mediafire.com/?d3hx342xtxm
The new file name is symmetric-encryption3.zip
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Tuesday, June 24, 2008 2:21 PM
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
ok, I've re-worked my example ( download the little zip file here:
http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j symmetric
encryption example referenced in this thread:
http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag
e:1+mid:wqeg3cluw4cn2fr3+state:results
<BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:wss4j
symmetric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
To get this example running, just configure the stuff in bin/setenv.cmd
and run "ant client"
No need to run the server -- it fails before it gets there with the
message: Unexpected number of X509Data: for Signature
So the error hasn't changed, but it is tough to tell whether I've got
this configured correctly.
At the top of the method CryptoBase.getCertificates(alias), the methods
isKeyEntry(), containsAlias(), getKey() and the enum aliases on
CryptoBase.keystore all seem to contain the right alias/key data.
As far as I can see, the issue is that the methods mentioned above on
the CryptoBase.keystore instance return good-looking data but the method
getCertificateChain(alias) -- on the exact same instance -- retuns null.
Thanks,
--Erik
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Tuesday, June 24, 2008 8:44 AM
To: Dittmann, Werner (NSN - DE/Muenich); O hEigeartaigh, Colm;
wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Werner wrote:
>>Looking at your deployment it's clear to me that you use a public key:
That bad, huh? ok. I guess I need to take a step back and make sure I'm
set up for symmetric.
I used the genseckey option on the 1.6 keytool, along with DESede -- all
compatible with symmetric encrytion, right?
I also put the same key file on both the client and the server.
I just did a little more digging and unearthed this:
http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag
e:1+mid:wqeg3cluw4cn2fr3+state:results
...which describes some EmbeddedKey configuration that I didn't include.
I'll get started incorporating the work described above (wss4j tests
from svn).
If this is the wrong direction (or perhaps there is a better example) ,
I'm open to suggestions.
--Erik
________________________________
From: Dittmann, Werner (NSN - DE/Muenich)
[mailto:werner.dittmann@nsn.com]
Sent: Tuesday, June 24, 2008 1:09 AM
To: Ostermueller, Erik; O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: AW: Need help figuring out CryptoBase#getCertificates(alias)
Erik,
I don't understand your statement about "single/symmetric key". Looking
at your deployment
it's clear to me that you use a public key:
According to the specification and WSS4J documentation: WSS4J creates a
symmertic session
key, encryptes the Body using tripples-DES CBC (according your
deployment) and encrypts this
session key using RSA-1_5. The key to encrypt the session key _must_ be
the public RSA key
of the receiver, not the sender. To me it seems that you use the public
key of Bob to encrypt
the session key. Who is the receiver?
Regards,
Werner
________________________________
Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Gesendet: Montag, 23. Juni 2008 16:13
An: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Betreff: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Colm wrote:
>>you're both encrypting using "bob"s public key and also
signing using his private key!
I knew I had 'bob' in there perhaps too many times. But I
didn't think that would matter, because I'm using a single
secret/symmetric key -- not public and private ones.
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Monday, June 23, 2008 4:56 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Hi Erik,
I can't see anything obviously wrong from your configuration,
apart from the fact that you're both encrypting using "bob"s public key
and also signing using his private key!
I suggest trying to simplify things a bit, try something like
this (where "bob" is signing both the Timestamp and the message body):
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 19:57
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Thanks for the quick reply. I made that change (excellent
catch, by the way) and it did not make a difference -- probably because
that is in the server configuration, and it dies before it gets to the
server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2(
"AP18740", getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new
WSS4JOutInterceptor(outProps); //request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new
SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE,
"bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot
to include for this "Unexpected number of X509Data: for Signature"
error.
I'm trying to encrypt and sign a CXF 2.1 soap message with
symmetric key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the
server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault:
Security processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by:
org.apache.ws.security.WSSecurityException: WSHandler: Signature: error
during message processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import
resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="decryptionPropFile"
value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="encryptionPropFile"
value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier"
value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out
CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something
wrong with my alias.
So, I added to debug code which seems to show I've got my alias
stuff right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and
"Point B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data:
for Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A
-- keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" +
objAlias + "]");
}
} catch (Exception e) {
System.out.println("error looking for the
aliases ETO 6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
ok, I've re-worked my example ( download the little zip file here:
http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j symmetric
encryption example referenced in this thread:
http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag
e:1+mid:wqeg3cluw4cn2fr3+state:results
<BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:wss4j
symmetric+page:1+mid:wqeg3cluw4cn2fr3+state:results>
To get this example running, just configure the stuff in bin/setenv.cmd
and run "ant client"
No need to run the server -- it fails before it gets there with the
message: Unexpected number of X509Data: for Signature
So the error hasn't changed, but it is tough to tell whether I've got
this configured correctly.
At the top of the method CryptoBase.getCertificates(alias), the methods
isKeyEntry(), containsAlias(), getKey() and the enum aliases on
CryptoBase.keystore all seem to contain the right alias/key data.
As far as I can see, the issue is that the methods mentioned above on
the CryptoBase.keystore instance return good-looking data but the method
getCertificateChain(alias) -- on the exact same instance -- retuns null.
Thanks,
--Erik
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Tuesday, June 24, 2008 8:44 AM
To: Dittmann, Werner (NSN - DE/Muenich); O hEigeartaigh, Colm;
wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Werner wrote:
>>Looking at your deployment it's clear to me that you use a public key:
That bad, huh? ok. I guess I need to take a step back and make sure I'm
set up for symmetric.
I used the genseckey option on the 1.6 keytool, along with DESede -- all
compatible with symmetric encrytion, right?
I also put the same key file on both the client and the server.
I just did a little more digging and unearthed this:
http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag
e:1+mid:wqeg3cluw4cn2fr3+state:results
...which describes some EmbeddedKey configuration that I didn't include.
I'll get started incorporating the work described above (wss4j tests
from svn).
If this is the wrong direction (or perhaps there is a better example) ,
I'm open to suggestions.
--Erik
________________________________
From: Dittmann, Werner (NSN - DE/Muenich)
[mailto:werner.dittmann@nsn.com]
Sent: Tuesday, June 24, 2008 1:09 AM
To: Ostermueller, Erik; O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: AW: Need help figuring out CryptoBase#getCertificates(alias)
Erik,
I don't understand your statement about "single/symmetric key". Looking
at your deployment
it's clear to me that you use a public key:
According to the specification and WSS4J documentation: WSS4J creates a
symmertic session
key, encryptes the Body using tripples-DES CBC (according your
deployment) and encrypts this
session key using RSA-1_5. The key to encrypt the session key _must_ be
the public RSA key
of the receiver, not the sender. To me it seems that you use the public
key of Bob to encrypt
the session key. Who is the receiver?
Regards,
Werner
________________________________
Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Gesendet: Montag, 23. Juni 2008 16:13
An: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Betreff: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Colm wrote:
>>you're both encrypting using "bob"s public key and also
signing using his private key!
I knew I had 'bob' in there perhaps too many times. But I
didn't think that would matter, because I'm using a single
secret/symmetric key -- not public and private ones.
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Monday, June 23, 2008 4:56 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Hi Erik,
I can't see anything obviously wrong from your configuration,
apart from the fact that you're both encrypting using "bob"s public key
and also signing using his private key!
I suggest trying to simplify things a bit, try something like
this (where "bob" is signing both the Timestamp and the message body):
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 19:57
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Thanks for the quick reply. I made that change (excellent
catch, by the way) and it did not make a difference -- probably because
that is in the server configuration, and it dies before it gets to the
server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2(
"AP18740", getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new
WSS4JOutInterceptor(outProps); //request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new
SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE,
"bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot
to include for this "Unexpected number of X509Data: for Signature"
error.
I'm trying to encrypt and sign a CXF 2.1 soap message with
symmetric key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the
server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault:
Security processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by:
org.apache.ws.security.WSSecurityException: WSHandler: Signature: error
during message processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import
resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="decryptionPropFile"
value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="encryptionPropFile"
value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier"
value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out
CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something
wrong with my alias.
So, I added to debug code which seems to show I've got my alias
stuff right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and
"Point B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data:
for Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A
-- keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" +
objAlias + "]");
}
} catch (Exception e) {
System.out.println("error looking for the
aliases ETO 6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
Werner wrote:
>>Looking at your deployment it's clear to me that you use a public key:
That bad, huh? ok. I guess I need to take a step back and make sure I'm
set up for symmetric.
I used the genseckey option on the 1.6 keytool, along with DESede -- all
compatible with symmetric encrytion, right?
I also put the same key file on both the client and the server.
I just did a little more digging and unearthed this:
http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag
e:1+mid:wqeg3cluw4cn2fr3+state:results
...which describes some EmbeddedKey configuration that I didn't include.
I'll get started incorporating the work described above (wss4j tests
from svn).
If this is the wrong direction (or perhaps there is a better example) ,
I'm open to suggestions.
--Erik
________________________________
From: Dittmann, Werner (NSN - DE/Muenich)
[mailto:werner.dittmann@nsn.com]
Sent: Tuesday, June 24, 2008 1:09 AM
To: Ostermueller, Erik; O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: AW: Need help figuring out CryptoBase#getCertificates(alias)
Erik,
I don't understand your statement about "single/symmetric key". Looking
at your deployment
it's clear to me that you use a public key:
According to the specification and WSS4J documentation: WSS4J creates a
symmertic session
key, encryptes the Body using tripples-DES CBC (according your
deployment) and encrypts this
session key using RSA-1_5. The key to encrypt the session key _must_ be
the public RSA key
of the receiver, not the sender. To me it seems that you use the public
key of Bob to encrypt
the session key. Who is the receiver?
Regards,
Werner
________________________________
Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Gesendet: Montag, 23. Juni 2008 16:13
An: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Betreff: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Colm wrote:
>>you're both encrypting using "bob"s public key and also
signing using his private key!
I knew I had 'bob' in there perhaps too many times. But I
didn't think that would matter, because I'm using a single
secret/symmetric key -- not public and private ones.
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Monday, June 23, 2008 4:56 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Hi Erik,
I can't see anything obviously wrong from your configuration,
apart from the fact that you're both encrypting using "bob"s public key
and also signing using his private key!
I suggest trying to simplify things a bit, try something like
this (where "bob" is signing both the Timestamp and the message body):
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 19:57
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Thanks for the quick reply. I made that change (excellent
catch, by the way) and it did not make a difference -- probably because
that is in the server configuration, and it dies before it gets to the
server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2(
"AP18740", getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new
WSS4JOutInterceptor(outProps); //request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new
SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE,
"bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot
to include for this "Unexpected number of X509Data: for Signature"
error.
I'm trying to encrypt and sign a CXF 2.1 soap message with
symmetric key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the
server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault:
Security processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by:
org.apache.ws.security.WSSecurityException: WSHandler: Signature: error
during message processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import
resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="decryptionPropFile"
value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="encryptionPropFile"
value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier"
value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out
CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something
wrong with my alias.
So, I added to debug code which seems to show I've got my alias
stuff right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and
"Point B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data:
for Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A
-- keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" +
objAlias + "]");
}
} catch (Exception e) {
System.out.println("error looking for the
aliases ETO 6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
AW: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Dittmann, Werner (NSN - DE/Muenich)" <we...@nsn.com>.
Erik,
I don't understand your statement about "single/symmetric key". Looking
at your deployment
it's clear to me that you use a public key:
According to the specification and WSS4J documentation: WSS4J creates a
symmertic session
key, encryptes the Body using tripples-DES CBC (according your
deployment) and encrypts this
session key using RSA-1_5. The key to encrypt the session key _must_ be
the public RSA key
of the receiver, not the sender. To me it seems that you use the public
key of Bob to encrypt
the session key. Who is the receiver?
Regards,
Werner
________________________________
Von: ext Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Gesendet: Montag, 23. Juni 2008 16:13
An: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Betreff: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Colm wrote:
>>you're both encrypting using "bob"s public key and also
signing using his private key!
I knew I had 'bob' in there perhaps too many times. But I
didn't think that would matter, because I'm using a single
secret/symmetric key -- not public and private ones.
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Monday, June 23, 2008 4:56 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Hi Erik,
I can't see anything obviously wrong from your configuration,
apart from the fact that you're both encrypting using "bob"s public key
and also signing using his private key!
I suggest trying to simplify things a bit, try something like
this (where "bob" is signing both the Timestamp and the message body):
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 19:57
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Thanks for the quick reply. I made that change (excellent
catch, by the way) and it did not make a difference -- probably because
that is in the server configuration, and it dies before it gets to the
server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2(
"AP18740", getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp
Signature Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID,
"DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE,
"bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new
WSS4JOutInterceptor(outProps); //request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new
SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE,
"bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE,
"bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out
CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot
to include for this "Unexpected number of X509Data: for Signature"
error.
I'm trying to encrypt and sign a CXF 2.1 soap message with
symmetric key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the
server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault:
Security processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by:
org.apache.ws.security.WSSecurityException: WSHandler: Signature: error
during message processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import
resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="decryptionPropFile"
value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile"
value="bob.properties"/>
<entry key="encryptionPropFile"
value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier"
value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out
CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something
wrong with my alias.
So, I added to debug code which seems to show I've got my alias
stuff right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and
"Point B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data:
for Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A
-- keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" +
objAlias + "]");
}
} catch (Exception e) {
System.out.println("error looking for the
aliases ETO 6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify
the sender immediately. In addition,
please be aware that any message addressed to our domain is
subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
Colm wrote:
>>you're both encrypting using "bob"s public key and also signing using
his private key!
I knew I had 'bob' in there perhaps too many times. But I didn't think
that would matter, because I'm using a single secret/symmetric key --
not public and private ones.
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Monday, June 23, 2008 4:56 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Hi Erik,
I can't see anything obviously wrong from your configuration, apart from
the fact that you're both encrypting using "bob"s public key and also
signing using his private key!
I suggest trying to simplify things a bit, try something like this
(where "bob" is signing both the Timestamp and the message body):
outProps.put(WSHandlerConstants.ACTION, "Timestamp Signature");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 19:57
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Thanks for the quick reply. I made that change (excellent catch, by the
way) and it did not make a difference -- probably because that is in the
server configuration, and it dies before it gets to the server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2( "AP18740",
getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
//request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE, "bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Hi Erik,
I can't see anything obviously wrong from your configuration, apart from
the fact that you're both encrypting using "bob"s public key and also
signing using his private key!
I suggest trying to simplify things a bit, try something like this
(where "bob" is signing both the Timestamp and the message body):
outProps.put(WSHandlerConstants.ACTION, "Timestamp Signature");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 19:57
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Thanks for the quick reply. I made that change (excellent catch, by the
way) and it did not make a difference -- probably because that is in the
server configuration, and it dies before it gets to the server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2( "AP18740",
getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
//request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE, "bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
Thanks for the quick reply. I made that change (excellent catch, by the
way) and it did not make a difference -- probably because that is in the
server configuration, and it dies before it gets to the server.
Here is my client code.
public static void main(String args[]) throws Exception {
Service service = Service.create(SERVICE_NAME);
// Endpoint Address
String endpointAddress =
"http://localhost:9000/dfSoap/services/hello_world";
JaxWsProxyFactoryBean factory = getFactory();
factory.setServiceClass(HelloWorld.class);
factory.setAddress(endpointAddress);
HelloWorld hw = (HelloWorld) factory.create();
CreditLineSummaryInqRs rs = hw.creditLineInq2( "AP18740",
getLiveRq() );
displayResponse( (CreditLineSummaryInqRs)rs );
}
public static JaxWsProxyFactoryBean getFactory() {
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
//outProps.put("user", "alice");
outProps.put(WSHandlerConstants.USER,"bob");
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soa
p/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_PROP_FILE, "bob.properties");
outProps.put(WSHandlerConstants.ENCRYPTION_USER, "bob");
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http:/
/schemas.xmlsoap.org/soap/envelope/}Body");
outProps.put(WSHandlerConstants.ENC_SYM_ALGO,
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
outProps.put(WSHandlerConstants.ENC_KEY_TRANSPORT,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
//request
factory.getOutInterceptors().add(wssOut);
//factory.getOutInterceptors().add(new SAAJOutInterceptor());
Map<String,Object> inProps= new HashMap<String,Object>();
inProps.put(WSHandlerConstants.ACTION, "Timestamp Signature
Encrypt");
inProps.put(WSHandlerConstants.SIG_PROP_FILE, "bob.properties");
inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.hw.server.KeystorePasswordCallback");
inProps.put(WSHandlerConstants.DEC_PROP_FILE, "bob.properties");
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
//response
factory.getInInterceptors().add(wssIn);
//factory.getInInterceptors().add(new SAAJInInterceptor());
return factory;
}
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 11:14 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
> <jaxws:outInterceptors>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
> <jaxws:outInterceptors>
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
You're attaching an "in" interceptor to the out interceptor list
there...try replacing it with WSS4JOutInterceptor.
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 15:56
To: O hEigeartaigh, Colm; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
Here is bob.properties. To no avail, I tried
'org.apache.ws.security.components.crypto.BouncyCastle' for the
org.apache.ws.security.crypto.provider.
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jceks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=bob
org.apache.ws.security.crypto.merlin.file=bob.jks
--Erik
________________________________
From: O hEigeartaigh, Colm [mailto:Colm.OhEigeartaigh@iona.com]
Sent: Friday, June 20, 2008 9:34 AM
To: Ostermueller, Erik; wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
Can you post your bob.properties config file?
Colm.
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: 20 June 2008 14:57
To: wss4j-dev@ws.apache.org
Subject: RE: Need help figuring out CryptoBase#getCertificates(alias)
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/
<http://www.w3.org/2001/04/xmlenc#rsa-1_5> >
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
<http://www.w3.org/2001/04/xmlenc#tripledes-cbc> >
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Need help figuring out CryptoBase#getCertificates(alias)
Posted by "Ostermueller, Erik" <Er...@fnis.com>.
..replying to self. Here are a few important details I forgot to
include for this "Unexpected number of X509Data: for Signature" error.
I'm trying to encrypt and sign a CXF 2.1 soap message with symmetric
key. BounchCastle version is jdk15-139.
This stack trace is on the client side -- it never gets to the server.
[java] Exception in thread "main"
javax.xml.ws.soap.SOAPFaultException: Security processing failed.
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:218)
[java] at $Proxy29.creditLineInq2(Unknown Source)
[java] at demo.hw.client.Client.main(Client.java:77)
[java] Caused by: org.apache.cxf.binding.soap.SoapFault: Security
processing failed.
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:213)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:86)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:221)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
[java] ... 2 more
[java] Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
[java] at
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.ja
va:61)
[java] at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:1
97)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOut
Interceptor.java:47)
[java] at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptor
Internal.handleMessage(WSS4JOutInterceptor.java:198)
[java] ... 8 more
[java] Java Result: 1
Here is my configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="jaxwsService"
implementor="demo.hw.server.HelloWorldImpl"
address="/hello_world" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="decryptionPropFile" value="bob.properties"/>
<entry key="passwordCallbackClass"
value="demo.hw.server.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="bob"/>
<entry key="signaturePropFile" value="bob.properties"/>
<entry key="encryptionPropFile" value="bob.properties"/>
<entry key="encryptionUser" value="bob"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="passwordCallbackClass"
value="org.jboss.test.ws.jaxws.samples.wsse.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{
http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
</jaxws:endpoint>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
</beans>
________________________________
From: Ostermueller, Erik [mailto:Erik.Ostermueller@fnis.com]
Sent: Thursday, June 19, 2008 5:23 PM
To: wss4j-dev@ws.apache.org
Subject: Need help figuring out CryptoBase#getCertificates(alias)
Hi,
I'm having trouble getting wss4j/bouncyCastle/jce to find my
certificate.
Everything I've read on my error (below) says I've got something wrong
with my alias.
So, I added to debug code which seems to show I've got my alias stuff
right.
I learned the following from my debug code:
Point A: keystore.getCertificateChain(alias) returns null
Point B: keystore.containsAlias(alias) returns true.
This is where I'm not understanding things, b/c my "Point A" and "Point
B" (in my own head) seem mutually exclusive.
Thanks all,
--Erik Ostermueller
#####Here is the error I'm getting:
Caused by: org.apache.ws.security.WSSecurityException:
WSHandler: Signature: error during message
processingorg.apache.ws.security.WSSecurityException:
General security error (Unexpected number of X509Data: for
Signature)
#####Here is my key generation:
%JAVA_HOME%\bin\keytool -genseckey -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -storetype JCEKS
-keyalg DESede -keystore .\conf\bob.jks -alias bob -validity 365
-storepass password -keypass password
###### I added the following debug code to the very top of
CryptoBase#getCertificates(alias) from wss4j 1.5.4
try {
Certificate[] etoCerts =
keystore.getCertificateChain(alias);
java.security.Key myKey =
keystore.getKey(alias,"password".toCharArray() );
System.out.println("CryptoBase#getCertificates A --
keystore entries [" + keystore.size() + "] alias [" + alias + "]
keystore.isKeyEntry [" + keystore.isKeyEntry(alias) + "] containsAlias
[" + keystore.containsAlias(alias) + "] etoCerts [" + etoCerts + "]
myKey[" + myKey + "] key algo [" + myKey.getAlgorithm() + "] format [" +
myKey.getFormat() + "]");
for(Enumeration xenum = keystore.aliases();
xenum.hasMoreElements();) {
Object objAlias = xenum.nextElement();
System.out.println("Found alias [" + objAlias +
"]");
}
} catch (Exception e) {
System.out.println("error looking for the aliases ETO
6/19/2008 10:13:23 AM");
e.printStackTrace();
}
###### The above code produced the following output
CryptoBase#getCertificates A -- keystore entries [1] alias [bob]
keystore.isKeyEntry [true] containsAlias [true] etoCerts [null]
myKey[javax.crypto.spec.SecretKeySpec@b069b1cc] key algo [DESede] format
[RAW]
Found alias [bob]
______________
The information contained in this message is proprietary and/or
confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii)
do not disclose,
distribute or use the message in any manner; and (iii) notify the sender
immediately. In addition,
please be aware that any message addressed to our domain is subject to
archiving and review by
persons other than the intended recipient. Thank you.
_____________
______________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________