Hi Martin,
thanks for the example now I try it but I need some other help
1) how can I modify server deploy.wsdd in order to specify that the client
is using a binary security token?
2) <parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
I have to use this parameter or they aren't necessary for my application?
3)when I create client.wsdd I have to specify
<deployment xmlns="http://xml.apache.org/axis/wsdd/";
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
</globalConfiguration >
</deployment>
or even WSDoAllReceive?
4)I want to add even the CRL file in my app.server I have to add it to the
keystore cacerts? And what is the method that when arrive the signedmessage
do all this contol, so that when arrive the signed soap message it verify
signature of client, signature of ca and verify if the certificate is
revoked?
Thank a lot for your help, I need this for my degree and sorry for all this
questions
Hermann
-----Messaggio originale-----
Da: Martin Kuba [mailto:[EMAIL PROTECTED]
Inviato: lunedì 19 giugno 2006 10.59
A: [EMAIL PROTECTED]
Cc: [email protected]
Oggetto: Re: [WSS4J 1.5] Verify signature of Certificate Authority in a x509
certificate inserted as security token
Hi Hermann,
for signing an outgoing message and then verifying both
unbroken signature and the acceptance of the signer, you don't
have to write any code, at least in Axis 1.4. I do the
following. I create a file name client-config.wsdd specifying signature
and verification:
(the name is important, otherwise you have to specify it using
-Daxis.ClientConfigFile=myfile.wsdd)
<deployment xmlns="http://xml.apache.org/axis/wsdd/";
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java";>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration>
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signatureKeyIdentifier" value="DirectReference" />
<parameter name="signaturePropFile" value="cryptoSender.properties" />
</handler>
</requestFlow>
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="user" value="michal"/>
<parameter name="passwordCallbackClass" value="cz.makub.PWCallback"/>
<parameter name="action" value="Signature"/>
<parameter name="signaturePropFile"
value="cryptoReceiver.properties" />
</handler>
</responseFlow>
</globalConfiguration >
</deployment>
The files cryptoSender.properties and cryptoReceiver.properties specify
the signing and verification. Their content should be in your case:
cryptoSender.properties:
------------------------
org.apache.ws.security.crypto.merlin.file=e://x509pri.p12
org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
org.apache.ws.security.crypto.merlin.keystore.password=1234567890
cryptoReceiver.properties:
--------------------------
org.apache.ws.security.crypto.merlin.file=cacerts.jks
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=aaa
where the file cacerts.jks contains your accepted CAs, and can
be created using:
keytool -import -keystore cacerts.jks -file theCAcert.pem
And yes, you should send the x509 certificate of the
signer with the message, it si done by the config parameter
<parameter name="signatureKeyIdentifier" value="DirectReference" />
otherwise just the DN of the CA and serial number of the certificate is
sent, so the receiver would have to already have that certificate
to be able to verify the signature.
There is small issue with the "passwordCallbackClass" parameter,
I have found that it is needed for me, but others say that it is not
needed when using JKS keystores. The class should provide
passwords for private keys.
Hope this helps.
Martin
[EMAIL PROTECTED] wrote:
>
> Hi All,
>
> I've created a soap message then I've signed it with this method:
>
> /*************************************
> public class signer2 {
>
> public static void main(String arg[]){
>
> try{
> KeyStore ks = KeyStore.getInstance("PKCS12");
> InputStream in = new
> FileInputStream("e://x509pri.p12");
> ks.load(in, "1234567890".toCharArray());
...
> But with this method I verify if the signature of the client is valid,
> I've on my application server the x509 certificate of a CA and I want
> that when arrive the signedDoc message my app. server verify the
> signature of client and the signature of the CA that is in the x509
> certificate, Is it possible with wss4j??
> or I need to send with the signed soap message the certificate x509 of
> the client as attachement??
>
> Thanks all for help.
>
> Hermann
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: [EMAIL PROTECTED]
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
