Hi Nate, The client's public key is stored in the message context (in the receiver results - WSHandlerConstants.RECV_RESULTS - and retrieved later to encrypt the out going message (by the WSDoAllSender).
WSDoAllSender - private void handleSpecialUser(RequestData reqData) Therefore if the client sending the incoming message uses a trusted cert then the out going message will be encrypted with that cert. But there's Trust verification part that happens at the service (by the WSDoAllReceiver - verifyTrust(X509Certificate cert, RequestData reqData) throws AxisFault This requires the client cert to be in the keystore of the service. I guess you can change this ONLY IF you want to trust all the requests AND if you don't have each client's cert with you. Best regards, Ruchith On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello again Werner, > > So I fixed my encryption problem. I totally read the documentation > wrong. I just needed to supply the encryptionUser in the wsdd, which > makes perfect sense in hindsight :) Thanks for getting me thinking :) > > New Related Problem: > > This works great for request flows from the client to the web service > since there is only one service the client is talking to (multiple > clients talk to this service) and the client can just insert the service > as the encryptionUser. And it works for responses from the service to > the client when I hardcode the client as the encryptionUser in the > server.wsdd like follows: > > <responseFlow> > <handler type="java:org.apache.ws.axis.security.WSDoAllSender" > > <parameter name="user" value="groupsserver"/> > <parameter name="passwordCallbackClass" > value="edu.iu.uis.osg.security.PWCallback"/> > <parameter name="encryptionUser" value="xxappclient"/> > <parameter name="action" value="Signature Encrypt"/> > <parameter name="signaturePropFile" > value="server-crypto.properties" /> > <parameter name="signatureKeyIdentifier" value="DirectReference" /> > <parameter name="encryptionKeyIdentifier" > value="X509KeyIdentifier" /> > </handler> > </responseFlow> > > But there are many clients, so is there some way for my server to > determine who is calling it and encrypt the response back to it with the > correct public key? > > Thanks yet again! > Nate > > > > Nathaniel A. Johnson wrote: > > Hi Werner, > > > > Your description of signatures and encryption with key pairs makes > > perfect sense. It did get me thinking of something I figured was just > > happening behind the scenes somewhere, which is that the client "just > > knew" to use the server's public key to do the encrypting. Is there > > some config setting, property file or what not, that should be set so > > that the client know's to use the server's public key to encrypt with? > > In the client.wsdd there are signaturePropFile and possibly > > encryptionPropFile and decryptionPropFile properties, but those files > > all have passwords in them, so I can't allow the client to see the > > server files, right? > > > > I must just be missing where I tell the client what to use for > > encryption... any help would be great! > > > > Thanks! > > Nate > > > > PS: Signatures are working great for me, both in the request and > > response flows of the service, so I at least have half of it working :) > > > > > > Dittmann Werner wrote: > > > >>>Nate, > >>> > >>>both the Client and the Server use the Merlin calls to access > >>>the keystore and to deal with certificates. > >>> > >>>If you do Signature the the client needs _its_ private > >>>key to sign, the server needs the client's public key > >>>to verify. > >>> > >>>If you encrypt then the client uses the _server's > >>>public_ key to encrypt the symmetric session key, the > >>>server uses _its_ private key to decrypt the session > >>>key. Thus, the case you are describing is probably > >>>a problem in the deployment - if you use Encryption > >>>the you must use the server's certificate to do so > >>>(the certificate contains the public key). To me it > >>>seems that you specified the client's certificate to do > >>>encryption. > >>> > >>>Regards, > >>>Werner > >>> > >>> > >>> > >>>>-----Urspr�ngliche Nachricht----- > >>>>Von: Nathaniel A. Johnson [mailto:[EMAIL PROTECTED] > >>>>Gesendet: Mittwoch, 1. Juni 2005 16:54 > >>>>An: [email protected] > >>>>Betreff: encryption not asking for the right private key > >>>> > >>>> > >>>>hi all, > >>>> > >>>>i just posted this over on the axis list, but realized its probably > >>>>better suited for the wss4j dev list... sorry for the cross post for > >>>>those of you that are on both lists... > >>>> > >>>>i have been stepping through the axis and wss4j code and am at a loss. > >>>>here is the code it is getting to (inside Merlin.java): > >>>> > >>>>public PrivateKey getPrivateKey(String alias, String password) > >>>> throws Exception { > >>>> if (alias == null) { > >>>> throw new Exception("alias is null"); > >>>> } > >>>> boolean b = keystore.isKeyEntry(alias); > >>>> if (!b) { > >>>> log.error("Cannot find key for alias: " + alias); > >>>> throw new Exception("Cannot find key for alias: " + alias); > >>>> } > >>>> Key keyTmp = keystore.getKey(alias, password.toCharArray()); > >>>> if (!(keyTmp instanceof PrivateKey)) { > >>>> throw new Exception("Key is not a private key, alias: " + alias); > >>>> } > >>>> return (PrivateKey) keyTmp; > >>>>} > >>>> > >>>>this is when the client calls to the service. the client is > >>>>sending an > >>>>encrypted/signed message. what's happening is the server > >>>>(web service) > >>>>is trying to get the private key for the client. that just > >>>>doesnt make > >>>>sense. the server will not have a keyEntry (private key) for the > >>>>client, just public keys. > >>>> > >>>>does anyone have any idea where i might be going wrong? i have been > >>>>looking at this problem for over a week now, so maybe i am > >>>>just missing > >>>>something? i feel like i am going crazy. > >>>> > >>>>thanks > >>>>nate > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > > iD8DBQFCnxXIgj8ksIjnb2wRAuyXAKCYKpnsdF9MSEnWWJQq2nKRzDEddQCbBtdc > iRdDluLBfm0Zrp5v8HvpnaY= > =Ha5n > -----END PGP SIGNATURE----- >
