ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Does anyone have an example of using WSSecEncrypt.setUseThisCert()
Date Fri, 08 Aug 2014 09:55:37 GMT
> builder.setKeyEnc(WSConstants.TRIPLE_DES);
>  builder.setEncryptSymmKey(false);

This is not valid. Triple Des is a symmetric encryption algorithm, and not
a key transport algorithm. Also, you want to encrypt the symmetric key here
(using the X.509 Certificate). So just comment out the
"setEncryptSymmKey(false)" call + change "setKeyEnc" to
"setSymmetricEncAlgorithm" and it should work.

> Should the WSSecSignature.setX509Certificate method take care of that?

No, because you need to specify a username + password as well to access the
private key required to sign the request.

Colm.

On Wed, Aug 6, 2014 at 4:57 PM, Adrian Williamson <aw@octavo2.demon.co.uk>
wrote:

>  Hi,
>
>
>
> I believe that I am using WSS4J 2.0.2, if you have a specific process for
> understanding the version please don’t be shy – I’ll use it then we both
> know that I will have given the correct info.
>
>
>
> By core do you mean the JDK? If so then :
>
>
>
> java version "1.7.0_55"
>
> Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
>
> Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)
>
>
>
> That error in particular I have avoided by using BST_DIRECT_REFERENCE, I’m
> afraid I was doing that two-year-old learning technique of pressing all the
> buttons at once, so I might have been the cause of the error – not knowing
> my apples from pears:
>
>
>
>     //This gives Error when calling DDOperation: An invalid security token
> was provided (Bad ValueType "
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
> ")
>
>
>
>
>
>     java.security.cert.X509Certificate recipientCert = (X509Certificate)
> keysRSA.getks().getCertificate("wsstestservice");
>
>     Document doc = soapEnvelope.getOwnerDocument();
>
>     org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();
>
>
>
>     builder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
>
>     builder.setKeyEnc(WSConstants.TRIPLE_DES);
>
>     builder.setEncryptSymmKey(false);
>
>     builder.setUseThisCert(recipientCert);
>
>
>
>     try
>
>     {
>
>         secHeader.insertSecurityHeader(doc);
>
>         builder.build(doc, crypto, secHeader);
>
>     }
>
>     catch (WSSecurityException e)
>
>
>
> So I am not too worried about that as I have moved on.
>
>
>
> I did find another issue with the WSSecSignature, when using the
> WSSecSignature.setX509Certificate and then calling WSSecSignature.build it
> throw a null identifier (merlin.java:744) for the GetPrivateKey() as the
> calling context WSecSigniture.java:530 had this.user set to null, I worked
> out that if I used WSSecSignature.setUserInfo and passed in the alias and
> the JKS password then it stopped moaning and got on with it.
>
>
>
> Should the WSSecSignature.setX509Certificate method take care of that?
>
>
>
> My work in progress/prototype is below, I’m trying to mimic the SOAPUI WSS
> specification:
>
>
>
>
>
> I’ll go and look at those examples.
>
>
>
> Cheers,
>
>
>
> Adrian
>
> PS Bonus points for identifying Cargo Cult sections….
>
>
>
>
>
>
>
> private SOAPMessage encriptBody(SOAPMessage soapMessage) throws Exception
> {
>
>     SOAPPart soapPart = soapMessage.getSOAPPart();
>
>     SOAPEnvelope  soapEnvelope = soapPart.getEnvelope();
>
>
>
>     WSSecEncrypt builder  = new WSSecEncrypt();
>
>     WSSecTimestamp builderTS = new WSSecTimestamp();
>
>     WSSecSignature builderSig = new WSSecSignature();
>
>
>
>
>
>     Crypto crypto = null;
>
>     //Class constructor candidates
>
>     try {
>
>         //Where will I put the properties file?
>
>         crypto = CryptoFactory.getInstance("Ball.properties");
>
>     }
>
>     catch (WSSecurityException e)
>
>     {
>
>         System.err.println("Crypto crypto =
> CryptoFactory.getInstance(\"Ball.properties\"): " + e.getMessage());
>
>     }
>
>     java.security.cert.X509Certificate recipientCert = (X509Certificate)
> keysRSA.getks().getCertificate("wsstestservice");
>
>     java.security.cert.X509Certificate ourCert = (X509Certificate)
> keysRSA.getks().getCertificate("wsclientcert");
>
>
>
>     builder.setUseThisCert(recipientCert);
>
>     builderSig.setX509Certificate(ourCert);
>
>
>
>     builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
>
>     builderTS.setTimeToLive(5000);
>
>     builderSig.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
>
>     builderSig.setUserInfo("wsclientcert", "password1");
>
>     //End Class constructor candidates
>
>
>
>
>
>     Document doc = soapEnvelope.getOwnerDocument();
>
>     org.apache.wss4j.dom.message.WSSecHeader secHeader = new WSSecHeader();
>
>
>
>     try
>
>     {
>
>         secHeader.insertSecurityHeader(doc);
>
>         builderTS.build(doc, secHeader);
>
>         builderSig.build(doc, crypto, secHeader);
>
>         builder.build(doc, crypto, secHeader);
>
>     }
>
>     catch (WSSecurityException e)
>
>     {
>
>         System.err.println("Failed in builder block: " + e.getMessage());
>
>         e.printStackTrace();
>
>         System.exit(1);
>
>     }
>
>
>
>     return soapMessage;
>
> }
>
>
>
>
>
>
>
> *From:* Colm O hEigeartaigh [mailto:coheigea@apache.org]
> *Sent:* 06 August 2014 15:48
> *To:* users@ws.apache.org
> *Subject:* Re: Does anyone have an example of using
> WSSecEncrypt.setUseThisCert()
>
>
>
>
>
> Here are some:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CryptoProviderTest.java?revision=1503186&view=co
>
> What version of WSS4J? What does the request look like that is generating
> that error + what core are you using to generate it?
>
> Colm.
>
>
>
> On Wed, Aug 6, 2014 at 9:35 AM, Adrian Williamson <aw@octavo2.demon.co.uk>
> wrote:
>
> Hi,
>
> Has anyone got an example of how this method can be used?
>
> I've trying different values for the WSSecEncrypt.setKeyIdentifierType()
> but
> I keep getting application specific error messages back from the private
> service I'm calling.
>
> One of the error messages made me stop and ponder the extent of my
> ignorance;
>
> WSConstants.X509_KEY_IDENTIFIER it returned:
>
> An invalid security token was provided (Bad ValueType
> "
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-
> 1.0#X509v3
> <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-%0d%0a1.0#X509v3>
> ")
>
> So I thought if someone had a nice little test case that used an X509
> certificate to encrypt it might help me along.
>
> So I can see how it is supposed to be done.
>
> Thanks
>
> Adrian
>
>
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message