Hi Milinda,
I couldn't find any usages of the getKeystore() method in WSS4J.
Therefore IMHO, you can safely throw an UnsupportedOperationException
there.
getDefaultX509Alias() is used to find the certificate to verify the
signature when we cannot find the signature certificate from the
incoming request. Therefore you can use the same approach that Merlin
used to get this value, where you can load it from the .properties
file.
I'm not sure about the solution for getPrvateKey() but can we get the
rest of it completed so we can try to use this with WSS4J to simply
verify incoming signed messages.
Thanks,
Ruchith
On 7/19/06, Milinda Lakmal <[EMAIL PROTECTED]> wrote:
Hi,
I implemented some of the methods in crypto interface.
But I have problems with these methods. Can you please reply me if you have
any suggestions to these problems.
public PrivateKey getPrivateKey(String alias, String password) throws
Exception;
public String getDefaultX509Alias();
What is the default alias when considering the LDAP Certifictae Stroe?
public KeyStore getKeyStore();
This method realy confused me when regarding the LDAP cert store. When we
use ldap cert store this interface cant use.
Here is my current implementations:
package org.apache.ws.security.components;
/**
* Created by IntelliJ IDEA.
* User: milinda
* Date: Jul 18, 2006
* Time: 7:35:47 PM
* To change this template use File | Settings | File Templates.
*/
import org.apache.ws.security.WSSecurityException;
import javax.naming.directory.*;
import javax.naming.NamingException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import java.security.cert.*;
import java.security.NoSuchAlgorithmException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.*;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
public class LDAPCrypto {
protected static CertificateFactory certFact;
protected static DirContext ldapCtx;
protected static String searchContext;
protected Properties properties;
protected ArrayList caCertList;
static String SKI_OID = "2.5.29.14";
/**
* Constructor
*
* @param properties
* @throws javax.naming.NamingException
*/
public LDAPCrypto(Properties properties) throws NamingException {
/*
* if no properties .. just return an instance, the rest will be
* done later or this instance is just used to handle certificate
* conversions in this implementatio
*/
if (properties == null) {
return;
}
this.properties = properties;
searchContext =
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
Hashtable ldapEnv = new Hashtable(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
ldapEnv.put(Context.PROVIDER_URL,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
/**
* Look for the authentication type & create DirContext according
to the properties
*/
if
(this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
{
ldapEnv.put(Context.SECURITY_AUTHENTICATION,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
ldapCtx = new InitialDirContext(ldapEnv);
}
if
(this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
{
ldapEnv.put(Context.SECURITY_AUTHENTICATION,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
ldapEnv.put(Context.SECURITY_PRINCIPAL,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
ldapEnv.put(Context.SECURITY_CREDENTIALS,
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
ldapCtx = new InitialDirContext(ldapEnv);
System.out.println(ldapCtx);
}
caCertList = new ArrayList();
}
/**
* Singleton certificate factory for this Crypto instance.
* <p/>
*
* @return Returns a <code>CertificateFactory</code> to construct
* X509 certficates
* @throws org.apache.ws.security.WSSecurityException
*
*/
public synchronized CertificateFactory getCertificateFactory() throws
WSSecurityException {
if (certFact == null) {
try {
certFact = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
throw new
WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
"unsupportedCertType");
}
return certFact;
}
return certFact;
}
public String getEmailFromDN(String DN) {
StringTokenizer stOne = new StringTokenizer(DN, ",");
StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(),
"=");
stTwo.nextToken();
return stTwo.nextToken();
}
public ArrayList getCAS(String caAlias) {
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext,
"(objectclass=pkiCA)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs =
searchReult.getAttributes();
javax.naming.directory.Attribute attr =
attrs.get("cACertificate;binary");
if (attr == null) {
return null;
} else {
Object binary = attr.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new
ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate)
certFact.generateCertificate(binaryIS);
if (caAlias.equals(cert.getSubjectDN().toString()))
{
caCertList.add(cert);
if
(cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
return caCertList;
} else {
caCertList =
getCAS(cert.getIssuerDN().toString());
}
}
}
}
}
} catch (Exception e) {
}
return caCertList;
}
public X509Certificate[] getCertificates(String alias) throws
WSSecurityException {
ArrayList certList = new ArrayList();
ArrayList caCList = new ArrayList();
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext, "cn="
+ alias, constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs =
searchReult.getAttributes();
javax.naming.directory.Attribute attr =
attrs.get("userCertificate;binary");
if (attr != null) {
Object binary = attr.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new
ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate)
certFact.generateCertificate(binaryIS);
certList.add(cert);
caCList = getCAS(cert.getIssuerDN().toString());
}
}
}
} catch (Exception e) {
}
for (int j = 0; j < caCList.size(); j++) {
certList.add(caCList.get(j));
}
if (certList.size() == 0 || certList == null) {
return null;
}
X509Certificate[] x509certs = new X509Certificate[certList.size()];
for (int i = 0; i < certList.size(); i++) {
x509certs[i] = (X509Certificate) certList.get(i);
}
return x509certs;
}
/**
* Return a X509 Certificate alias in the keystore according to a given
Certificate
* <p/>
*
* @param cert The certificate to lookup
* @return alias name of the certificate that matches the given
certificate
* or null if no such certificate was found.
* <p/>
* See comment above
* <p/>
* See comment above
*/
public String getAliasForX509Cert(Certificate cert) throws
WSSecurityException {
boolean certFound = false;
String alias = null;
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext,
"(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs =
searchReult.getAttributes();
javax.naming.directory.Attribute attrCert
= attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN =
attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new
ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cer;
cer = (X509Certificate)
certFact.generateCertificate(binaryIS);
if (cer.equals(cert)) {
certFound = true;
alias = cn;
}
}
}
}
} catch (Exception e) {
}
String aliasReturn = null;
if (certFound) {
aliasReturn = alias;
}
return aliasReturn;
}
/**
* Lookup a X509 Certificate in the keystore according to a given
* SubjectKeyIdentifier.
* <p/>
* The search gets all alias names of the keystore and gets the
certificate chain
* or certificate for each alias. Then the SKI for each user
certificate
* is compared with the SKI parameter.
*
* @param skiBytes The SKI info bytes
* @return alias name of the certificate that matches serialNumber and
issuer name
* or null if no such certificate was found.
* @throws org.apache.ws.security.WSSecurityException
* if problems during keystore handling or wrong certificate
(no SKI data)
*/
public String getAliasForX509Cert(byte[] skiBytes) throws
WSSecurityException {
String alias = null;
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext,
"(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs =
searchReult.getAttributes();
javax.naming.directory.Attribute attrCert
= attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN =
attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new
ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate)
certFact.generateCertificate(binaryIS);
byte[] data = getSKIBytesFromCert(cert);
if (data.length != skiBytes.length) {
continue;
}
if (Arrays.equals(data, skiBytes)) {
alias = cn;
return alias;
}
}
}
}
} catch (Exception e) {
}
return null;
}
/**
* Lookup a X509 Certificate in the keystore according to a given
* Thumbprint.
* <p/>
* The search gets all alias names of the keystore, then reads the
certificate chain
* or certificate for each alias. Then the thumbprint for each user
certificate
* is compared with the thumbprint parameter.
*
* @param thumb The SHA1 thumbprint info bytes
* @return alias name of the certificate that matches the thumbprint
* or null if no such certificate was found.
* @throws org.apache.ws.security.WSSecurityException
* if problems during keystore handling or wrong certificate
*/
public String getAliasForX509CertThumb(byte[] thumb) throws
WSSecurityException {
String alias = null;
MessageDigest sha = null;
try {
sha = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException e1) {
throw new WSSecurityException(0, "noSHA1availabe");
}
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
try {
NamingEnumeration results = ldapCtx.search(searchContext,
"(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs =
searchReult.getAttributes();
javax.naming.directory.Attribute attrCert
= attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN =
attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new
ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate)
certFact.generateCertificate(binaryIS);
sha.reset();
try {
sha.update(cert.getEncoded());
} catch (CertificateEncodingException e1) {
throw new
WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
"encodeError");
}
byte[] data = sha.digest();
if (Arrays.equals(data, thumb)) {
alias = cn;
return alias;
}
}
}
}
} catch (Exception e) {
}
return null;
}
/**
* Lookup X509 Certificates in the keystore according to a given DN of
the subject of the certificate
* <p/>
* The search gets all alias names of the keystore and gets the
certificate (chain)
* for each alias. Then the DN of the certificate is compared with the
parameters.
*
* @param subjectDN The DN of subject to look for in the keystore
* @return Vector with all alias of certificates with the same DN as
given in the parameters
* @throws org.apache.ws.security.WSSecurityException
*
*/
public String[] getAliasesForDN(String subjectDN) throws
WSSecurityException {
ArrayList aliases = new ArrayList();
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
Vector subjectRDN = splitAndTrim(subjectDN);
try {
NamingEnumeration results = ldapCtx.search(searchContext,
"(objectclass=pkiUser)", constraints);
while (results != null && results.hasMore()) {
SearchResult searchReult = (SearchResult) results.next();
javax.naming.directory.Attributes attrs =
searchReult.getAttributes();
javax.naming.directory.Attribute attrCert
= attrs.get("userCertificate;binary");
javax.naming.directory.Attribute attrCN =
attrs.get("cn");
String cn = attrCN.get().toString();
if (attrCert != null) {
Object binary = attrCert.get();
byte[] buffer = (byte[]) binary;
CertificateFactory certFact = getCertificateFactory();
ByteArrayInputStream binaryIS = new
ByteArrayInputStream(buffer);
while (binaryIS.available() > 0) {
X509Certificate cert;
cert = (X509Certificate)
certFact.generateCertificate(binaryIS);
Vector foundRDN =
splitAndTrim(cert.getSubjectDN().getName());
if (subjectRDN.equals(foundRDN)) {
aliases.add(cn);
}
}
}
}
} catch (Exception e) {
}
if (aliases.size() != 0) {
String[] result = new String[aliases.size()];
for (int i = 0; i < aliases.size(); i++) {
result[i] = (String) aliases.get(i);
}
return result;
}
return null;
}
public static void main(String[] args) {
Properties props = new Properties();
String s;
Certificate cet[];
try {
File prop = new File("LDAPCrypto.properties");
FileInputStream in = new FileInputStream(prop);
props.load(in);
in.close();
} catch (Exception e) {
}
try {
LDAPCrypto lCrypto1 = new LDAPCrypto(props);
try {
X509Certificate[] cert =
lCrypto1.getCertificates("Lakmal");
String[] d =
lCrypto1.getAliasesForDN("[EMAIL PROTECTED], CN=lakmal, OU=kd,
O=LK, L=LAKM, ST=Eastern, C=SL");
System.out.println(d[1]);
for (int i = 0; i < cert.length; i++) {
System.out.println("Subject DN: " +
cert[i].getSubjectDN());
System.out.println("Alias For cert: " +
lCrypto1.getAliasForX509Cert(cert[i]));
System.out.println("Alias For ski: " +
lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
}
} catch (Exception f) {
f.printStackTrace();
}
} catch (NamingException n) {
n.printStackTrace();
}
}
private Vector splitAndTrim(String inString) {
X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
Vector vr = new Vector();
while (nmTokens.hasMoreTokens()) {
vr.add(nmTokens.nextToken());
}
java.util.Collections.sort(vr);
return vr;
}
/**
* Reads the Subject...
[Message clipped]
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
