Hi,
With Java keystores (JKS) WSS4J have the *correct* behaviour !
In both cases when the passwords are different and equal , the
callback handler is called requesting the password of the private key.
Also WSS4J correctly throws an exception when the key password
provided from the callback handler is different, even when the two
passwords are the same.
Thanks,
Ruchith
On 6/15/06, Werner Dittmann <[EMAIL PROTECTED]> wrote:
BTW, I forgot: the java keystore implemntation (maybe also the BC)
have the behavior as described by Martin: if key store password _and_
key password are the same the keystroe implementation does not request
the second password. This is a key store behavior, not WSS4J.
Werner
Martin Kuba wrote:
> Ruchith Fernando wrote:
>> Hi Martin,
>>
>> I just tried changing the password of my private key in one of my test
>> cases that does signature only. Then I got this error:
>>
>> org.apache.ws.security.WSSecurityException: WSHandler: Signature:
>> error during message
>> procesingorg.apache.ws.security.WSSecurityException: Signature
>> creation failed; nested exception is:
>> java.security.UnrecoverableKeyException: Cannot recover key
>> at
>>
org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:57)
>>
>> at
>> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:191)
>>
>>
>> I also tried a keystore of which the private key used to sign had a
>> different password.
>>
>> Seems like its working as expected !
>>
>> Can you help reproduce this issue.
>
> Yes, I can reproduce it. I just created a PKCS12 file, which has
> different MAC (KeyStore) password and export (PrivateKey) password.
> The passwords are "first" and "second".
> When I specify
>
> org.apache.ws.security.crypto.merlin.file=server2.p12
> org.apache.ws.security.crypto.merlin.keystore.password=first
>
> in crypto.properties and in client-config.wsdd I have
>
> <handler type="java:org.apache.ws.axis.security.WSDoAllSender">
> <parameter name="user" value="michalUser"/>
> <parameter name="passwordCallbackClass"
> value="cz.makub.PWCallback"/>
>
> and the cz.makub.PWCallback class is:
>
> public class PWCallback implements CallbackHandler {
> static Logger log = Logger.getLogger(PWCallback.class);
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> if (callbacks[i] instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
> // set the password given a username
> log.debug("getIdentifier()="+pc.getIdentifer());
> if ("michalUser".equals(pc.getIdentifer())) {
> pc.setPassword("second"); return; }
> } else {
> throw new UnsupportedCallbackException(callbacks[i],
> "Unrecognized Callback");
> }
> }
> }
> }
>
> then I get the following exception:
>
> java.io.IOException: exception decrypting data -
> javax.crypto.BadPaddingException: pad block corrupted
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.decryptData(Unknown Source)
> at
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1150)
> at
>
org.apache.ws.security.components.crypto.AbstractCrypto.load(AbstractCrypto.java:525)
>
>
>
> The interesting point is that my callback handler is never called !
> It is not even created ! Otherwise I would see its debug output.
>
> So it looks like WSS4J just wants the callback class to be specified,
> but it never uses it, it uses the keystore password for the
> key.
>
> Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
