ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adrian Williamson" ...@octavo2.demon.co.uk>
Subject RE: Does anyone have an example of using WSSecEncrypt.setUseThisCert()
Date Fri, 08 Aug 2014 10:09:38 GMT
Hi Colm,

 

This is what worked in the end for me, I’m now trying to work out how to get back to SOAP
from the server response, i.e. I’m writing decodeSOAP.

 

private SOAPMessage encodeSOAP(SOAPMessage soapMessage) throws Exception  {

    

    

    SOAPPart soapPart = soapMessage.getSOAPPart();

    SOAPEnvelope  soapEnvelope = soapPart.getEnvelope();

    

    //Might be a workaround to the fact the WSDL has ws.live.ie and we are using ws.test.ie
etc    

    soapEnvelope.addNamespaceDeclaration( "dl","http://ws.live.ie/v1/DL-WS/");

    

    WSSecEncrypt builder  = new WSSecEncrypt();

    WSSecTimestamp builderTS = new WSSecTimestamp();

    WSSecSignature builderSig = new WSSecSignature();

       

 

    java.security.cert.X509Certificate recipientCert = (X509Certificate) keysRSA.getks().getCertificate("wsstestservice");
    

    java.security.cert.X509Certificate ourCert = (X509Certificate) keysRSA.getks().getCertificate("wsstest");

    

    

    

    builder.setUseThisCert(recipientCert);        

    builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);

    builder.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);

    builderTS.setTimeToLive(5000);

 

 

    Document doc = soapEnvelope.getOwnerDocument();

    org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();

    secHeader.insertSecurityHeader(doc);

    

    {//Sign the Timestamp and the body this block replaces builderSig.build(doc, crypto, secHeader)

        builderSig.setX509Certificate(ourCert);

        builderSig.setUserInfo("wsstest", "password1");

        builderSig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);

        

        SOAPConstants soapConstants = org.apache.wss4j.dom.util.WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
    

        List<WSEncryptionPart> wsEncryptionParts = new ArrayList<WSEncryptionPart>();

        WSEncryptionPart wsEncryptionPart = new WSEncryptionPart( soapConstants.getBodyQName().getLocalPart(),

                                                                  soapConstants.getEnvelopeURI(),
"Content");

        wsEncryptionParts.add(wsEncryptionPart);        

        builderTS.build(doc, secHeader);

        wsEncryptionParts.add(new WSEncryptionPart(builderTS.getId()));          

        builderSig.setParts(wsEncryptionParts);

        builderSig.setUseSingleCertificate(true);

        builderSig.prepare(doc, this.crypto, secHeader);

        builderSig.appendBSTElementToHeader(secHeader);        

        List<javax.xml.crypto.dsig.Reference> referenceList = builderSig.addReferencesToSign(wsEncryptionParts,
secHeader); 

        builderSig.computeSignature(referenceList);

        

    } 

   

   

    

    try

    {  

        builder.build(doc, this.crypto, secHeader);        

    }

    catch (WSSecurityException e)

    {

        System.err.println("Failed in builder block: " + e.getMessage());

        e.printStackTrace();

        System.exit(1);       

    }

 

    return soapMessage;

}

 

 

From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: 08 August 2014 10:56
To: Adrian Williamson
Cc: users@ws.apache.org
Subject: Re: Does anyone have an example of using WSSecEncrypt.setUseThisCert()

 

 

> builder.setKeyEnc(WSConstants.TRIPLE_DES);
>  builder.setEncryptSymmKey(false);

This is not valid. Triple Des is a symmetric encryption algorithm, and not a key transport
algorithm. Also, you want to encrypt the symmetric key here (using the X.509 Certificate).
So just comment out the "setEncryptSymmKey(false)" call + change "setKeyEnc" to "setSymmetricEncAlgorithm"
and it should work.

> Should the WSSecSignature.setX509Certificate method take care of that?

No, because you need to specify a username + password as well to access the private key required
to sign the request.

Colm.

 

On Wed, Aug 6, 2014 at 4:57 PM, Adrian Williamson <aw@octavo2.demon.co.uk> wrote:

Hi,

 

I believe that I am using WSS4J 2.0.2, if you have a specific process for understanding the
version please don’t be shy – I’ll use it then we both know that I will have given the
correct info.

 

By core do you mean the JDK? If so then :

 

java version "1.7.0_55"

Java(TM) SE Runtime Environment (build 1.7.0_55-b13)

Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)

 

That error in particular I have avoided by using BST_DIRECT_REFERENCE, I’m afraid I was
doing that two-year-old learning technique of pressing all the buttons at once, so I might
have been the cause of the error – not knowing my apples from pears:

 

    //This gives Error when calling DDOperation: An invalid security token was provided (Bad
ValueType "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3")

 

 

    java.security.cert.X509Certificate recipientCert = (X509Certificate) keysRSA.getks().getCertificate("wsstestservice");
    

    Document doc = soapEnvelope.getOwnerDocument();

    org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();

    

    builder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); 

    builder.setKeyEnc(WSConstants.TRIPLE_DES);

    builder.setEncryptSymmKey(false);

    builder.setUseThisCert(recipientCert);

 

    try

    {   

        secHeader.insertSecurityHeader(doc);

        builder.build(doc, crypto, secHeader);        

    }

    catch (WSSecurityException e)

 

So I am not too worried about that as I have moved on.

 

I did find another issue with the WSSecSignature, when using the WSSecSignature.setX509Certificate
and then calling WSSecSignature.build it throw a null identifier (merlin.java:744) for the
GetPrivateKey() as the calling context WSecSigniture.java:530 had this.user set to null, I
worked out that if I used WSSecSignature.setUserInfo and passed in the alias and the JKS password
then it stopped moaning and got on with it.

 

Should the WSSecSignature.setX509Certificate method take care of that?

 

My work in progress/prototype is below, I’m trying to mimic the SOAPUI WSS specification:

 



 

I’ll go and look at those examples.

 

Cheers,

 

Adrian

PS Bonus points for identifying Cargo Cult sections…. 

 

 

 

private SOAPMessage encriptBody(SOAPMessage soapMessage) throws Exception  {

    SOAPPart soapPart = soapMessage.getSOAPPart();

    SOAPEnvelope  soapEnvelope = soapPart.getEnvelope();

    

    WSSecEncrypt builder  = new WSSecEncrypt();

    WSSecTimestamp builderTS = new WSSecTimestamp();

    WSSecSignature builderSig = new WSSecSignature();

    

    

    Crypto crypto = null;

    //Class constructor candidates 

    try {

        //Where will I put the properties file?

        crypto = CryptoFactory.getInstance("Ball.properties");

    }

    catch (WSSecurityException e)

    {

        System.err.println("Crypto crypto = CryptoFactory.getInstance(\"Ball.properties\"):
" + e.getMessage());    

    }

    java.security.cert.X509Certificate recipientCert = (X509Certificate) keysRSA.getks().getCertificate("wsstestservice");
    

    java.security.cert.X509Certificate ourCert = (X509Certificate) keysRSA.getks().getCertificate("wsclientcert");

    

    builder.setUseThisCert(recipientCert);

    builderSig.setX509Certificate(ourCert);   

    

    builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); 

    builderTS.setTimeToLive(5000);

    builderSig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);

    builderSig.setUserInfo("wsclientcert", "password1");

    //End Class constructor candidates 

 

 

    Document doc = soapEnvelope.getOwnerDocument();

    org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();

   

    try

    {   

        secHeader.insertSecurityHeader(doc);

        builderTS.build(doc, secHeader);

        builderSig.build(doc, crypto, secHeader);

        builder.build(doc, crypto, secHeader);        

    }

    catch (WSSecurityException e)

    {

        System.err.println("Failed in builder block: " + e.getMessage());

        e.printStackTrace();

        System.exit(1);       

    }

 

    return soapMessage;

}

 

 

 

From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: 06 August 2014 15:48
To: users@ws.apache.org
Subject: Re: Does anyone have an example of using WSSecEncrypt.setUseThisCert()

 

 

Here are some:

http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CryptoProviderTest.java?revision=1503186
<http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CryptoProviderTest.java?revision=1503186&view=co>
&view=co

What version of WSS4J? What does the request look like that is generating that error + what
core are you using to generate it?

Colm.

 

On Wed, Aug 6, 2014 at 9:35 AM, Adrian Williamson <aw@octavo2.demon.co.uk> wrote:

Hi,

Has anyone got an example of how this method can be used?

I've trying different values for the WSSecEncrypt.setKeyIdentifierType() but
I keep getting application specific error messages back from the private
service I'm calling.

One of the error messages made me stop and ponder the extent of my
ignorance;

WSConstants.X509_KEY_IDENTIFIER it returned:

An invalid security token was provided (Bad ValueType
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-%0d%0a1.0#X509v3>

1.0#X509v3")

So I thought if someone had a nice little test case that used an X509
certificate to encrypt it might help me along.

So I can see how it is supposed to be done.

Thanks

Adrian




 



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com




-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


Mime
View raw message