Hi, Not sure that is good idea to save private keys in the database, but if you have a good reasons for that - just read private key from db, create java PrivateKey object and return it in getPrivateKey() methods of Crypto provider.
Regards, Andrei. > -----Original Message----- > From: Ted Roeloffzen [mailto:ted.roeloff...@gmail.com] > Sent: Donnerstag, 1. August 2013 12:46 > To: users > Subject: Re: CXF WS-security policy question > > Hi Andrei, > > The problem is that i don't have a keystore. > The certificate is loaded from the database. > > kind regards, > > Ted > > > 2013/7/30 Andrei Shakirin <ashaki...@talend.com> > > > Hi Ted, > > > > I see that your crypto provider returns null for private keys and says > > always false by verifyTrust(). > > If you manage your private keys in keystore, you should initialize > > default WSS4J Merlin crypto provider with that keystore and delegate > > getPrivateKey() calls to Merlin. > > verifyTrust() must validate certificate (you can just return true for > > quick test). > > > > As a sample look into XKMS Crypto provider implementation contributed > > with > > XKMS: > > https://svn.apache.org/repos/asf/cxf/trunk/services/xkms/xkms- > client/src/main/java/org/apache/cxf/xkms/crypto. > > > > Some information you will find in my blog: > > http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates- > from.html. > > > > Regards, > > Andrei. > > > > From: Ted Roeloffzen [mailto:ted.roeloff...@gmail.com] > > Sent: Dienstag, 30. Juli 2013 11:51 > > To: Andrei Shakirin > > Subject: Re: CXF WS-security policy question > > > > Hi all, > > > > This is a code snippet of what i'm doing. > > > > public class TestCertificateProviderInterceptor extends > > AbstractPhaseInterceptor<Message> { > > public static class TestCertificateHolder extends CryptoBase > > { > > protected X509Certificate trustedCert; > > > > public TestCertificateHolder (X509Certificate trustedCert) > > { > > this.trustedCert = trustedCert; > > setDefaultX509Identifier(""); > > } > > > > @Override > > public X509Certificate[] getX509Certificates(CryptoType > > cryptoType){ > > X509Certificate[] certificates = {trustedCert}; > > return certificates; } > > > > @Override > > public String getX509Identifier(X509Certificate cert) > > { > > return null; > > } > > > > @Override > > public PrivateKey getPrivateKey(X509Certificate certificate, > > CallbackHandler callbackHandler) > > { > > return null; > > } > > > > @Override > > public PrivateKey getPrivateKey(String identifier, String password) > > { > > return null; > > } > > > > @Override > > @Deprecated > > public boolean verifyTrust(X509Certificate[] certs) > > { > > return false; > > } > > > > @Override > > public boolean verifyTrust(X509Certificate[] certs, boolean > > enableRevocation) > > { > > return false; > > } > > > > @Override > > public boolean verifyTrust(PublicKey publicKey) > > { > > return false; > > } > > > > } > > > > private CertificateHolder holder; > > > > public TestCertificateProviderInterceptor(CertificateHolder holder) > > { > > super(Phase.PRE_LOGICAL); > > this.holder = holder; > > } > > > > @Override > > public void handleMessage(Message message) throws Fault > > { > > TestCertificateHolder store = > > new TestCertificateHolder (holder.getCertificate()); > > > > message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, > > store); > > } > > } > > Could it be a problem that I'm not overriding the standard > > implementation of the verifyTrust-methods? > > king regards, > > > > Ted Roeloffzen > > > > > > 2013/7/12 Andrei Shakirin <ashaki...@talend.com<mailto: > > ashaki...@talend.com>> > > Hi Ted, > > > > I used own CryptoBase extension for signature and encryption, so > > basically it should work. > > How you set the SIGNATURE_CRYPTO crypto, in configuration or in > > interceptor? Do you apply it to whole client or to message? > > > > Simple test case will be of course very helpful. Absolutely not a > > problem to get it in two weeks or later. > > > > Regards, > > Andrei. > > > > > -----Original Message----- > > > From: Ted Roeloffzen [mailto:ted.roeloff...@gmail.com<mailto: > > ted.roeloff...@gmail.com>] > > > Sent: Freitag, 12. Juli 2013 16:06 > > > To: users; Colm O hEigeartaigh > > > Subject: Re: CXF WS-security policy question > > > > > > Hi Colm, > > > > > > I hoped there would be a quick fix for the problem, because i'm > > > going on > > a > > > vacation tomorrow and won't be taking my laptop with me. > > > Because of my vacation i'm unable to create a test case or a patch. > > > If this problem is still there in 2 weeks, i would be happy to take > > > a > > look at it. > > > > > > kind regards, > > > > > > Ted > > > > > > > > > 2013/7/12 Colm O hEigeartaigh <cohei...@apache.org<mailto: > > cohei...@apache.org>> > > > > > > > Hi Ted, > > > > > > > > It's likely there are some bugs in the code surrounding the use of > > > > such a Crypto implementation. Would it be possible to share a > > > > test-case or are you interested in providing a patch for this issue? > > > > > > > > Colm. > > > > > > > > > > > > On Fri, Jul 12, 2013 at 2:41 PM, Ted Roeloffzen > > > > <ted.roeloff...@gmail.com<mailto:ted.roeloff...@gmail.com> > > > > >wrote: > > > > > > > > > Hi Andrei, > > > > > > > > > > Thanks for your advice. > > > > > I created a class thats implements Crypto, actually it extends > > > > CryptoBase, > > > > > but now i get the message: No callback handler and no password > > > > > available Do I have to repeat the same thing here? Just create > > > > > somewhat of a dummy implementation of CallbackHandler? > > > > > > > > > > Kind regards, > > > > > > > > > > Ted > > > > > > > > > > > > > > > 2013/7/12 Andrei Shakirin <ashaki...@talend.com<mailto: > > ashaki...@talend.com>> > > > > > > > > > > > Hi Ted, > > > > > > > > > > > > I assume that your CertificateStore object implements wss4j > > > > > > org.apache.ws.security.components.crypto .Crypto interface, > > > > > > does > > it? > > > > > > The reason why CXF needs SIGNATURE_USERNAME property is the > > > following: > > > > > > even single CXF client can be used by multiple users having > > > > > > different private and public keys. > > > > > > Therefore Crypto interface provides method > > > > > > getX509Certificates() with CryptoType argument, that specifies > > > > > > keystore alias (or other > > > > > > X509 > > > > > > identifier) to be used. > > > > > > > > > > > > If you always has only one user and single certificate, you > > > > > > can provide any non-empty value in > > > > > > Crypto.getDefaultX509Identifier() method and > > > > just > > > > > > ignore it in Crypto.getX509Certificates(). > > > > > > > > > > > > Regards, > > > > > > Andrei. > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Ted Roeloffzen [mailto:ted.roeloff...@gmail.com<mailto: > > ted.roeloff...@gmail.com>] > > > > > > > Sent: Freitag, 12. Juli 2013 11:31 > > > > > > > To: users > > > > > > > Subject: CXF WS-security policy question > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > I'm trying to create a webservice client that uses the > > > > > > > securitypolicy > > > > > > which is > > > > > > > specified in the WSDL. > > > > > > > As the certificate that is used for this client has to be > > > > > > > loaded from > > > > > the > > > > > > > database i created a Interceptor that sets the > > > > > > > SIGNATURE_CRYPTO > > > > > property > > > > > > > with a CertificateStore object that contains the correct > > certificate. > > > > > > > When i try to send a message i get the following error-message: > > > > > > > No configured signature username detected > > > > > > > > > > > > > > Because there is only one certificate in the > > > > > > > CertificateStore, there > > > > is > > > > > > no need > > > > > > > for a username. But nonetheless I get this error. > > > > > > > > > > > > > > Can anyone point me in the right direction? > > > > > > > > > > > > > > Greate many thanks. > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > > > Ted Roeloffzen > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > >
