-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ruchith Fernando wrote:
> Hi Nate,
>
> Hmmm... I'm not sure why its not in the code base
> I guess we can include this change since if someone wants to override
> the encrypting cert for the response message, it can be done
> dynamically at the service OR it can be done at the server-config.wsdd
Yeah, that sounds good.
>
> One more thing about the proposed fix:
> I think its BEST to set the WSHandlerConstants.ENCRYPTION_USER to the
> alias JUST BEFORE the WSDoAllReceiver - verifyTrust(...) method
> returns true, i.e. after verifying that the cert is a trusted cert.
>
That makes sense too. I'd be happy with that.
Nate
> .....
>
> if (certs != null && certs.length > 0 && cert.equals(certs[0])) {
> if (doDebug) {
> log.debug("Direct trust for certificate with " +
> subjectString);
> }
>
> reqData.msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,alias);
> return true;
> }
> .....
>
> Best regards,
> Ruchith
>
> On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
>
> Hi Ruchith,
>
> That's a much better solution than mine because that looks to be the
> real alias, not the dn property from the cert. That's exactly what I
> wanted. I rebuilt the wss4j.jar and it works great.
>
> Any idea why this isn't done in the codebase in the first place? It
> would be nice if it were so I don't have to remember to rebuild the
> library when new versions come out.
>
> Thanks for the help!
> Nate
>
>
> Ruchith Fernando wrote:
>
>>Hi Nate,
>
>>I used a different method to do the same where I changed the -
>>private boolean verifyTrust(X509Certificate cert, RequestData reqData)
>>throws AxisFault
>>method in the WSDoAllReceiver
>
>>I added the following line right after it retrieves the alias from the
>>request data (right after line 526):
>
>>reqData.msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,alias);
>
>>Is this the way that u were looking for... This way I didn't have to
>>do anything at the service :-)
>
>>Best regards,
>>Ruchith
>
>>On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
>
>>Hi All,
>
>>Hopefully this will be my last question for a while :) I really do
>>appreciate all of the speedy help being provided on this list.
>
>>I got the encryptionUser to work programatically by setting the property
>>in the message context to the principal CN, but I'd like to get people's
>>thoughts on my method. The code below is called in the constructor of
>>the service. The assumption is that the client alias will be the same
>>as the CN. I don't like that assumption, but I have control over how
>>our clients generate their keys, so I can enforce this. I'd much rather
>>be able to get right at the alias, but havent figured this out yet... if
>>anyone knows of a way, I'd be happy to know.
>
>
>>MessageContext msgContext = MessageContext.getCurrentContext();
>>Message reqMsg = msgContext.getRequestMessage();
>
>>String encryptedUser = null;
>>Vector results =
>> (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
>
>>for (int i = 0; i < results.size(); i++) {
>> WSHandlerResult hResult = (WSHandlerResult) results.get(i);
>> String actor = hResult.getActor();
>> Vector hResults = hResult.getResults();
>> for (int j = 0; j < hResults.size(); j++) {
>> WSSecurityEngineResult eResult =
>> (WSSecurityEngineResult) hResults.get(j);
>> if (eResult.getAction() != WSConstants.ENCR) {
>> encryptedUser = eResult.getPrincipal().getName();
>> }
>> }
>>}
>
>>if (encryptedUser != null) {
>> if (encryptedUser.startsWith("CN=")) {
>> encryptedUser = encryptedUser.substring(3);
>> }
>> System.out.println("setting encryptedUser to ==>" +
>> encryptedUser + "<==");
>> msgContext.setProperty(WSHandlerConstants.ENCRYPTION_USER,
>> encryptedUser);
>>}
>
>>Thanks!
>>Nate
>
>
>>Nathaniel A. Johnson wrote:
>
>
>>>Hi Ruchith,
>
>>>So you are saying I should not need an encryptionUser property in the
>>>server.wsdd file? That would be great.
>
>>>Everything you say does make sense... and I do have trusted certs in the
>>>server keystore for all clients that will be talking to the service, so
>>>that part is taken care of.
>
>>>The problem right now is that the server is encrypting the response back
>>>to the client with the server's public key instead of the client's
>>>public key when I do not have the encryptedUser in the responseFlow of
>>>the server.wsdd (which I do not want because I dont know the clien :) I
>>>can see the clients public key in the constants like you mentioned below
>>>too, but the server just doesnt seem to want to use it.
>
>>>Am I missing something else? Any thoughts?
>
>>>Nate
>
>
>>>Ruchith Fernando wrote:
>
>
>>>>>Hi Nate,
>>>>>
>>>>>The client's public key is stored in the message context (in the
>>>>>receiver results - WSHandlerConstants.RECV_RESULTS - and retrieved
>>>>>later to encrypt the out going message (by the WSDoAllSender).
>>>>>
>>>>>WSDoAllSender - private void handleSpecialUser(RequestData reqData)
>>>>>
>>>>>Therefore if the client sending the incoming message uses a trusted
>>>>>cert then the out going message will be encrypted with that cert.
>>>>>
>>>>>But there's Trust verification part that happens at the service (by
>>>>>the WSDoAllReceiver -
>>>>>verifyTrust(X509Certificate cert, RequestData reqData) throws AxisFault
>>>>>
>>>>>This requires the client cert to be in the keystore of the service. I
>>>>>guess you can change this ONLY IF you want to trust all the requests
>>>>>AND if you don't have each client's cert with you.
>>>>>
>>>>>Best regards,
>>>>>Ruchith
>>>>>
>>>>>On 6/2/05, Nathaniel A. Johnson <[EMAIL PROTECTED]> wrote:
>>>>>
>>>>>Hello again Werner,
>>>>>
>>>>>So I fixed my encryption problem. I totally read the documentation
>>>>>wrong. I just needed to supply the encryptionUser in the wsdd, which
>>>>>makes perfect sense in hindsight :) Thanks for getting me thinking :)
>>>>>
>>>>>New Related Problem:
>>>>>
>>>>>This works great for request flows from the client to the web service
>>>>>since there is only one service the client is talking to (multiple
>>>>>clients talk to this service) and the client can just insert the service
>>>>>as the encryptionUser. And it works for responses from the service to
>>>>>the client when I hardcode the client as the encryptionUser in the
>>>>>server.wsdd like follows:
>>>>>
>>>>><responseFlow>
>>>>><handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
>>>>> <parameter name="user" value="groupsserver"/>
>>>>> <parameter name="passwordCallbackClass"
>>>>> value="edu.iu.uis.osg.security.PWCallback"/>
>>>>> <parameter name="encryptionUser" value="xxappclient"/>
>>>>> <parameter name="action" value="Signature Encrypt"/>
>>>>> <parameter name="signaturePropFile"
>>>>> value="server-crypto.properties" />
>>>>> <parameter name="signatureKeyIdentifier" value="DirectReference" />
>>>>> <parameter name="encryptionKeyIdentifier"
>>>>> value="X509KeyIdentifier" />
>>>>></handler>
>>>>></responseFlow>
>>>>>
>>>>>But there are many clients, so is there some way for my server to
>>>>>determine who is calling it and encrypt the response back to it with the
>>>>>correct public key?
>>>>>
>>>>>Thanks yet again!
>>>>>Nate
>>>>>
>>>>>
>>>>>
>>>>>Nathaniel A. Johnson wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hi Werner,
>>>>>
>>>>>>Your description of signatures and encryption with key pairs makes
>>>>>>perfect sense. It did get me thinking of something I figured was just
>>>>>>happening behind the scenes somewhere, which is that the client "just
>>>>>>knew" to use the server's public key to do the encrypting. Is there
>>>>>>some config setting, property file or what not, that should be set so
>>>>>>that the client know's to use the server's public key to encrypt with?
>>>>>>In the client.wsdd there are signaturePropFile and possibly
>>>>>>encryptionPropFile and decryptionPropFile properties, but those files
>>>>>>all have passwords in them, so I can't allow the client to see the
>>>>>>server files, right?
>>>>>
>>>>>>I must just be missing where I tell the client what to use for
>>>>>>encryption... any help would be great!
>>>>>
>>>>>>Thanks!
>>>>>>Nate
>>>>>
>>>>>>PS: Signatures are working great for me, both in the request and
>>>>>>response flows of the service, so I at least have half of it working :)
>>>>>
>>>>>
>>>>>>Dittmann Werner wrote:
>>>>>
>>>>>
>>>>>>>>Nate,
>>>>>>>>
>>>>>>>>both the Client and the Server use the Merlin calls to access
>>>>>>>>the keystore and to deal with certificates.
>>>>>>>>
>>>>>>>>If you do Signature the the client needs _its_ private
>>>>>>>>key to sign, the server needs the client's public key
>>>>>>>>to verify.
>>>>>>>>
>>>>>>>>If you encrypt then the client uses the _server's
>>>>>>>>public_ key to encrypt the symmetric session key, the
>>>>>>>>server uses _its_ private key to decrypt the session
>>>>>>>>key. Thus, the case you are describing is probably
>>>>>>>>a problem in the deployment - if you use Encryption
>>>>>>>>the you must use the server's certificate to do so
>>>>>>>>(the certificate contains the public key). To me it
>>>>>>>>seems that you specified the client's certificate to do
>>>>>>>>encryption.
>>>>>>>>
>>>>>>>>Regards,
>>>>>>>>Werner
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>-----Urspr�ngliche Nachricht-----
>>>>>>>>>Von: Nathaniel A. Johnson [mailto:[EMAIL PROTECTED]
>>>>>>>>>Gesendet: Mittwoch, 1. Juni 2005 16:54
>>>>>>>>>An: [email protected]
>>>>>>>>>Betreff: encryption not asking for the right private key
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>hi all,
>>>>>>>>>
>>>>>>>>>i just posted this over on the axis list, but realized its probably
>>>>>>>>>better suited for the wss4j dev list... sorry for the cross post for
>>>>>>>>>those of you that are on both lists...
>>>>>>>>>
>>>>>>>>>i have been stepping through the axis and wss4j code and am at a loss.
>>>>>>>>>here is the code it is getting to (inside Merlin.java):
>>>>>>>>>
>>>>>>>>>public PrivateKey getPrivateKey(String alias, String password)
>>>>>>>>>throws Exception {
>>>>>>>>>if (alias == null) {
>>>>>>>>>throw new Exception("alias is null");
>>>>>>>>>}
>>>>>>>>>boolean b = keystore.isKeyEntry(alias);
>>>>>>>>>if (!b) {
>>>>>>>>>log.error("Cannot find key for alias: " + alias);
>>>>>>>>>throw new Exception("Cannot find key for alias: " + alias);
>>>>>>>>>}
>>>>>>>>>Key keyTmp = keystore.getKey(alias, password.toCharArray());
>>>>>>>>>if (!(keyTmp instanceof PrivateKey)) {
>>>>>>>>>throw new Exception("Key is not a private key, alias: " + alias);
>>>>>>>>>}
>>>>>>>>>return (PrivateKey) keyTmp;
>>>>>>>>>}
>>>>>>>>>
>>>>>>>>>this is when the client calls to the service. the client is
>>>>>>>>>sending an
>>>>>>>>>encrypted/signed message. what's happening is the server
>>>>>>>>>(web service)
>>>>>>>>>is trying to get the private key for the client. that just
>>>>>>>>>doesnt make
>>>>>>>>>sense. the server will not have a keyEntry (private key) for the
>>>>>>>>>client, just public keys.
>>>>>>>>>
>>>>>>>>>does anyone have any idea where i might be going wrong? i have been
>>>>>>>>>looking at this problem for over a week now, so maybe i am
>>>>>>>>>just missing
>>>>>>>>>something? i feel like i am going crazy.
>>>>>>>>>
>>>>>>>>>thanks
>>>>>>>>>nate
>>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCnzUFgj8ksIjnb2wRArW6AJ0YVbPcyD002Nu7cFfVxfMXNTsxeQCgoC38
/HyrtPgqQnPDs9vTAoHlUFA=
=BBQ3
-----END PGP SIGNATURE-----
