Hi Hermann, for signing an outgoing message and then verifying both unbroken signature and the acceptance of the signer, you don't have to write any code, at least in Axis 1.4. I do the following. I create a file name client-config.wsdd specifying signature and verification: (the name is important, otherwise you have to specify it using -Daxis.ClientConfigFile=myfile.wsdd)
<deployment xmlns="http://xml.apache.org/axis/wsdd/"; xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";> <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="cryptoReceiver.properties" />
</handler> </responseFlow> </globalConfiguration > </deployment> The files cryptoSender.properties and cryptoReceiver.properties specify the signing and verification. Their content should be in your case: cryptoSender.properties: ------------------------ org.apache.ws.security.crypto.merlin.file=e://x509pri.p12 org.apache.ws.security.crypto.merlin.keystore.type=PKCS12 org.apache.ws.security.crypto.merlin.keystore.password=1234567890 cryptoReceiver.properties: -------------------------- org.apache.ws.security.crypto.merlin.file=cacerts.jks org.apache.ws.security.crypto.merlin.keystore.type=JKS org.apache.ws.security.crypto.merlin.keystore.password=aaa where the file cacerts.jks contains your accepted CAs, and can be created using: keytool -import -keystore cacerts.jks -file theCAcert.pem And yes, you should send the x509 certificate of the signer with the message, it si done by the config parameter <parameter name="signatureKeyIdentifier" value="DirectReference" />otherwise just the DN of the CA and serial number of the certificate is sent, so the receiver would have to already have that certificate
to be able to verify the signature. There is small issue with the "passwordCallbackClass" parameter, I have found that it is needed for me, but others say that it is not needed when using JKS keystores. The class should provide passwords for private keys. Hope this helps. Martin [EMAIL PROTECTED] wrote:
Hi All, I've created a soap message then I've signed it with this method: /************************************* public class signer2 {public static void main(String arg[]){ try{KeyStore ks = KeyStore.getInstance("PKCS12");InputStream in = new FileInputStream("e://x509pri.p12");ks.load(in, "1234567890".toCharArray());
...
But with this method I verify if the signature of the client is valid,I've on my application server the x509 certificate of a CA and I want that when arrive the signedDoc message my app. server verify the signature of client and the signature of the CA that is in the x509 certificate, Is it possible with wss4j?? or I need to send with the signed soap message the certificate x509 of the client as attachement??Thanks all for help. Hermann
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Supercomputing Center Brno Martin Kuba Institute of Computer Science email: [EMAIL PROTECTED] Masaryk University http://www.ics.muni.cz/~makub/ Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775 --------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
