Milinda,
Please send a patch (attach it to JIRA) with these changes.
Thanks,
Ruchith
On 7/19/06, Ruchith Fernando <[EMAIL PROTECTED]> wrote:
Hi Milinda,
I couldn't find any usages of the getKeystore() method in WSS4J.
Therefore IMHO, you can safely throw an UnsupportedOperationException
there.
getDefaultX509Alias() is used to find the certificate to verify the
signature when we cannot find the signature certificate from the
incoming request. Therefore you can use the same approach that Merlin
used to get this value, where you can load it from the .properties
file.
I'm not sure about the solution for getPrvateKey() but can we get the
rest of it completed so we can try to use this with WSS4J to simply
verify incoming signed messages.
Thanks,
Ruchith
On 7/19/06, Milinda Lakmal <[EMAIL PROTECTED]> wrote:
>
>
> Hi,
> I implemented some of the methods in crypto interface.
> But I have problems with these methods. Can you please reply me if you have
> any suggestions to these problems.
>
> public PrivateKey getPrivateKey(String alias, String password) throws
> Exception;
>
> public String getDefaultX509Alias();
> What is the default alias when considering the LDAP Certifictae Stroe?
>
> public KeyStore getKeyStore();
> This method realy confused me when regarding the LDAP cert store. When we
> use ldap cert store this interface cant use.
>
> Here is my current implementations:
> package org.apache.ws.security.components;
>
> /**
> * Created by IntelliJ IDEA.
> * User: milinda
> * Date: Jul 18, 2006
> * Time: 7:35:47 PM
> * To change this template use File | Settings | File Templates.
> */
>
> import org.apache.ws.security.WSSecurityException;
>
> import javax.naming.directory.*;
> import javax.naming.NamingException;
> import javax.naming.Context;
> import javax.naming.NamingEnumeration;
> import java.security.cert.*;
> import java.security.NoSuchAlgorithmException;
> import java.security.MessageDigest;
> import java.security.PublicKey;
> import java.security.interfaces.RSAPublicKey;
> import java.util.*;
> import java.io.ByteArrayInputStream;
> import java.io.File;
> import java.io.FileInputStream;
>
> public class LDAPCrypto {
> protected static CertificateFactory certFact;
> protected static DirContext ldapCtx;
> protected static String searchContext;
> protected Properties properties;
> protected ArrayList caCertList;
> static String SKI_OID = "2.5.29.14";
>
> /**
> * Constructor
> *
> * @param properties
> * @throws javax.naming.NamingException
> */
>
> public LDAPCrypto(Properties properties) throws NamingException {
> /*
> * if no properties .. just return an instance, the rest will be
> * done later or this instance is just used to handle certificate
> * conversions in this implementatio
> */
> if (properties == null) {
> return;
> }
> this.properties = properties;
>
> searchContext =
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.searchcontext");
> Hashtable ldapEnv = new Hashtable(11);
> ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
>
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.initial"));
> ldapEnv.put(Context.PROVIDER_URL,
>
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.ldapurl"));
>
> /**
> * Look for the authentication type & create DirContext according
> to the properties
> */
> if
>
(this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("none"))
> {
> ldapEnv.put(Context.SECURITY_AUTHENTICATION,
>
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> ldapCtx = new InitialDirContext(ldapEnv);
> }
> if
>
(this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication").toLowerCase().equals("simple"))
> {
> ldapEnv.put(Context.SECURITY_AUTHENTICATION,
>
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityauthentication"));
> ldapEnv.put(Context.SECURITY_PRINCIPAL,
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securityprincipal"));
> ldapEnv.put(Context.SECURITY_CREDENTIALS,
>
>
this.properties.getProperty("org.apache.ws.security.crypto.ldapcrypto.securitycredintial"));
> ldapCtx = new InitialDirContext(ldapEnv);
> System.out.println(ldapCtx);
>
> }
> caCertList = new ArrayList();
> }
>
> /**
> * Singleton certificate factory for this Crypto instance.
> * <p/>
> *
> * @return Returns a <code>CertificateFactory</code> to construct
> * X509 certficates
> * @throws org.apache.ws.security.WSSecurityException
> *
> */
> public synchronized CertificateFactory getCertificateFactory() throws
> WSSecurityException {
> if (certFact == null) {
> try {
>
> certFact = CertificateFactory.getInstance("X.509");
>
> } catch (CertificateException e) {
> throw new
> WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> "unsupportedCertType");
>
> }
> return certFact;
> }
> return certFact;
> }
>
> public String getEmailFromDN(String DN) {
> StringTokenizer stOne = new StringTokenizer(DN, ",");
> StringTokenizer stTwo = new StringTokenizer(stOne.nextToken(),
> "=");
> stTwo.nextToken();
> return stTwo.nextToken();
> }
>
> public ArrayList getCAS(String caAlias) {
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiCA)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attr =
> attrs.get("cACertificate;binary");
> if (attr == null) {
> return null;
> } else {
> Object binary = attr.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> if (caAlias.equals(cert.getSubjectDN().toString()))
> {
> caCertList.add(cert);
> if
> (cert.getSubjectDN().toString().equals(cert.getIssuerDN().toString())) {
> return caCertList;
> } else {
> caCertList =
> getCAS(cert.getIssuerDN().toString());
> }
>
> }
> }
> }
> }
> } catch (Exception e) {
>
> }
>
> return caCertList;
> }
>
> public X509Certificate[] getCertificates(String alias) throws
> WSSecurityException {
> ArrayList certList = new ArrayList();
> ArrayList caCList = new ArrayList();
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext, "cn="
> + alias, constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attr =
> attrs.get("userCertificate;binary");
> if (attr != null) {
> Object binary = attr.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> certList.add(cert);
> caCList = getCAS(cert.getIssuerDN().toString());
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
> for (int j = 0; j < caCList.size(); j++) {
> certList.add(caCList.get(j));
> }
> if (certList.size() == 0 || certList == null) {
> return null;
> }
>
> X509Certificate[] x509certs = new X509Certificate[certList.size()];
> for (int i = 0; i < certList.size(); i++) {
> x509certs[i] = (X509Certificate) certList.get(i);
> }
> return x509certs;
> }
>
> /**
> * Return a X509 Certificate alias in the keystore according to a given
> Certificate
> * <p/>
> *
> * @param cert The certificate to lookup
> * @return alias name of the certificate that matches the given
> certificate
> * or null if no such certificate was found.
> * <p/>
> * See comment above
> * <p/>
> * See comment above
> */
>
> public String getAliasForX509Cert(Certificate cert) throws
> WSSecurityException {
> boolean certFound = false;
> String alias = null;
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cer;
> cer = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> if (cer.equals(cert)) {
> certFound = true;
> alias = cn;
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
> String aliasReturn = null;
> if (certFound) {
> aliasReturn = alias;
> }
> return aliasReturn;
> }
>
> /**
> * Lookup a X509 Certificate in the keystore according to a given
> * SubjectKeyIdentifier.
> * <p/>
> * The search gets all alias names of the keystore and gets the
> certificate chain
> * or certificate for each alias. Then the SKI for each user
> certificate
> * is compared with the SKI parameter.
> *
> * @param skiBytes The SKI info bytes
> * @return alias name of the certificate that matches serialNumber and
> issuer name
> * or null if no such certificate was found.
> * @throws org.apache.ws.security.WSSecurityException
> * if problems during keystore handling or wrong certificate
> (no SKI data)
> */
>
> public String getAliasForX509Cert(byte[] skiBytes) throws
> WSSecurityException {
> String alias = null;
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> byte[] data = getSKIBytesFromCert(cert);
> if (data.length != skiBytes.length) {
> continue;
> }
> if (Arrays.equals(data, skiBytes)) {
> alias = cn;
> return alias;
> }
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> return null;
>
> }
>
>
> /**
> * Lookup a X509 Certificate in the keystore according to a given
> * Thumbprint.
> * <p/>
> * The search gets all alias names of the keystore, then reads the
> certificate chain
> * or certificate for each alias. Then the thumbprint for each user
> certificate
> * is compared with the thumbprint parameter.
> *
> * @param thumb The SHA1 thumbprint info bytes
> * @return alias name of the certificate that matches the thumbprint
> * or null if no such certificate was found.
> * @throws org.apache.ws.security.WSSecurityException
> * if problems during keystore handling or wrong certificate
> */
>
> public String getAliasForX509CertThumb(byte[] thumb) throws
> WSSecurityException {
> String alias = null;
> MessageDigest sha = null;
>
> try {
> sha = MessageDigest.getInstance("SHA-1");
> } catch (NoSuchAlgorithmException e1) {
> throw new WSSecurityException(0, "noSHA1availabe");
> }
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> sha.reset();
> try {
> sha.update(cert.getEncoded());
> } catch (CertificateEncodingException e1) {
> throw new
> WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
> "encodeError");
> }
> byte[] data = sha.digest();
>
> if (Arrays.equals(data, thumb)) {
> alias = cn;
> return alias;
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> return null;
> }
>
> /**
> * Lookup X509 Certificates in the keystore according to a given DN of
> the subject of the certificate
> * <p/>
> * The search gets all alias names of the keystore and gets the
> certificate (chain)
> * for each alias. Then the DN of the certificate is compared with the
> parameters.
> *
> * @param subjectDN The DN of subject to look for in the keystore
> * @return Vector with all alias of certificates with the same DN as
> given in the parameters
> * @throws org.apache.ws.security.WSSecurityException
> *
> */
> public String[] getAliasesForDN(String subjectDN) throws
> WSSecurityException {
>
> ArrayList aliases = new ArrayList();
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
>
> Vector subjectRDN = splitAndTrim(subjectDN);
> try {
> NamingEnumeration results = ldapCtx.search(searchContext,
> "(objectclass=pkiUser)", constraints);
> while (results != null && results.hasMore()) {
> SearchResult searchReult = (SearchResult) results.next();
> javax.naming.directory.Attributes attrs =
> searchReult.getAttributes();
> javax.naming.directory.Attribute attrCert
> = attrs.get("userCertificate;binary");
> javax.naming.directory.Attribute attrCN =
> attrs.get("cn");
> String cn = attrCN.get().toString();
>
> if (attrCert != null) {
> Object binary = attrCert.get();
> byte[] buffer = (byte[]) binary;
> CertificateFactory certFact = getCertificateFactory();
> ByteArrayInputStream binaryIS = new
> ByteArrayInputStream(buffer);
> while (binaryIS.available() > 0) {
> X509Certificate cert;
> cert = (X509Certificate)
> certFact.generateCertificate(binaryIS);
> Vector foundRDN =
> splitAndTrim(cert.getSubjectDN().getName());
> if (subjectRDN.equals(foundRDN)) {
> aliases.add(cn);
> }
>
> }
> }
> }
>
> } catch (Exception e) {
>
> }
>
> if (aliases.size() != 0) {
> String[] result = new String[aliases.size()];
> for (int i = 0; i < aliases.size(); i++) {
> result[i] = (String) aliases.get(i);
> }
> return result;
> }
>
> return null;
>
> }
>
> public static void main(String[] args) {
> Properties props = new Properties();
> String s;
> Certificate cet[];
> try {
> File prop = new File("LDAPCrypto.properties");
> FileInputStream in = new FileInputStream(prop);
> props.load(in);
> in.close();
> } catch (Exception e) {
>
> }
> try {
> LDAPCrypto lCrypto1 = new LDAPCrypto(props);
> try {
> X509Certificate[] cert =
> lCrypto1.getCertificates("Lakmal");
> String[] d =
> lCrypto1.getAliasesForDN("[EMAIL PROTECTED], CN=lakmal, OU=kd,
> O=LK, L=LAKM, ST=Eastern, C=SL");
> System.out.println(d[1]);
>
> for (int i = 0; i < cert.length; i++) {
> System.out.println("Subject DN: " +
> cert[i].getSubjectDN());
> System.out.println("Alias For cert: " +
> lCrypto1.getAliasForX509Cert(cert[i]));
> System.out.println("Alias For ski: " +
> lCrypto1.getAliasForX509Cert(lCrypto1.getSKIBytesFromCert(cert[i])));
> }
>
> } catch (Exception f) {
> f.printStackTrace();
>
> }
>
> } catch (NamingException n) {
> n.printStackTrace();
> }
> }
>
> private Vector splitAndTrim(String inString) {
> X509NameTokenizer nmTokens = new X509NameTokenizer(inString);
> Vector vr = new Vector();
>
> while (nmTokens.hasMoreTokens()) {
> vr.add(nmTokens.nextToken());
> }
> java.util.Collections.sort(vr);
> return vr;
> }
>
> /**
> * Reads the Subject...
>
> [Message clipped]
--
www.ruchith.org
--
www.ruchith.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
