AW: what information from crypto.properties is used for signing i n WSSignEnvelope?

[Dittmann Werner <we...@siemens.com>]

Maciek,

the X.509 certificates hold public keys and some
other information to link to trusted certificates
(from Certificate Authorities, CA). The according
private key is not stored in the X.509 certificate
but in the keystore. Of course, the private key
is encrypted in the keystore (that's why we need
a passowrd to read the private key). Currently
we support 2 keystore formats: Sun's JKS and
PKCS#12 (p12).

Yes, WSS4J supports X.509 to exchange key 
information. If you want to use a so called
"shared secret", that is a password (key) that
you have previously agreed with ypu partner, then
consider to use "EmbeddedKey". Here we do not
need a X.509 certificate but WSS4J uses the
password to generate the symmetric key to
encrypt the data. This, however, is for encryption
only, not signature. Pls refer to WSSecurityTest9.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: Maciek Zywno [mailto:m.zywno@amg.net.pl] 
> Gesendet: Montag, 8. März 2004 15:09
> An: fx-dev@ws.apache.org
> Betreff: Re: what information from crypto.properties is used 
> for signing in WSSignEnvelope?
> 
> 
> Yves Langisch wrote:
> 
> > Maciek,
> >
> > There is a good 'cookbook' in the source directory when you use it 
> > with Axis:
> >
> > src/org/apache/ws/axis/security/package.html
> >
> > It helped me a lot.
> >
> > Regards,
> > Yves
> 
> Thanks very much, it helped a lot, but I have another question
> 
> If I properly understood, in all examples in 'cookbook' a 
> public key for 
> encryption and a private key for signing/encryption is taken 
> from X.509 
> certiificate i.e. wsdd deployment file specifies some 
> crypto.properties 
> file.  This would suggest that X.509 format is the only 
> one(in case of 
> wss4j) that can hold such data used for security purposes 
> like private 
> and public keys. I am not an expert in security - only wanted to add 
> this layer for my webservice - so maybe my question is not really 
> sensible - but could I store private and public key not only in X.509 
> certificates? Does it make sense?
> 
> Thanks for any suggestions,
> 
> Maciek
> 
> 

Re: AW: what information from crypto.properties is used for signing i n WSSignEnvelope?

[Maciek Zywno <m....@amg.net.pl>]

Dittmann Werner wrote:

>Maciek,
>
>the X.509 certificates hold public keys and some
>other information to link to trusted certificates
>(from Certificate Authorities, CA). The according
>private key is not stored in the X.509 certificate
>but in the keystore. Of course, the private key
>is encrypted in the keystore (that's why we need
>a passowrd to read the private key). Currently
>we support 2 keystore formats: Sun's JKS and
>PKCS#12 (p12).
>
>Yes, WSS4J supports X.509 to exchange key 
>information. If you want to use a so called
>"shared secret", that is a password (key) that
>you have previously agreed with ypu partner, then
>consider to use "EmbeddedKey". Here we do not
>need a X.509 certificate but WSS4J uses the
>password to generate the symmetric key to
>encrypt the data. This, however, is for encryption
>only, not signature. Pls refer to WSSecurityTest9.
>
>Regards,
>Werner
>
>  
>
>>-----Ursprüngliche Nachricht----
>>
Thanks!
It's getting moreand more clear.

Interface Crypto is used both for:

- getting private key from a keystore
- getting X.509 certificate

I guess that the first method is used by a *server* that has in its 
crypto.properties file needed alias and passoword to get to keystore. 
The second method is used by a *client* to get a public key from a 
certificate to encrypt a message ro be sent to server.  A path to a 
certificate is placed also in crypto.properties file (or any other 
specified in wsdd file). Unless I get it wrong, interface Crypto is 
called both by a client and server but for different methods - why are 
they mixed i.e. why not to create seperate classes, a kind of.. 
CryptoForClient and CryptoForServer?

Thanks once again for all your responses.

BTW: What did you mean by WSSecurityTest9 ? I googled for it but 
couldn't find.