Patrick wrote: >> How is it that you'd expect to get a certificate for / related to a symmetric key? >> What would you expect such a certificate to look like? >> What would you expect a signature using only a symmetric key would look like?
Those are good questions. I was expecting a certificate b/c the code was expecting a certificate and I didn't know any better. If no certs are found, this CryptoBase#getCertificates(alias) method returns a null which triggers an exception downstream. So I learned that "if symmetric algorithm --> then certificates are not relevant/used." That leads to my back to the original problem of how do you sign something when using symmetric keys. I just checked and the xml sig spec allows for this. When signing with symmetric key, the sig is called a message authentication code/mac. The wss4j test referenced below looks like it configured to do all this. Is there a doc somewhere that that tells how to run the tests? I'd like to verify whether this is a currently supported test and is working correctly? Then, I'll have to figure out why this axis-based 'mac' example works and my cxf-based mac example is stuck looking for non-existant certificates. So, some help launching the tests would be nice. --Erik ________________________________ From: Patrick J Kobly [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2008 3:31 PM To: Ostermueller, Erik Cc: [email protected] Subject: Re: Need help figuring out CryptoBase#getCertificates(alias) How is it that you'd expect to get a certificate for / related to a symmetric key? What would you expect such a certificate to look like? What would you expect a signature using only a symmetric key would look like? The discussion related to the embedded key stuff relates (predictably) only to encryption and not to signature (as would be expected of any symmetric scheme), yet you seem to be trying to do signature stuff... What is it you are trying to accomplish here? PK Ostermueller, Erik wrote: Whoops! Previous file is bad. Try this one: http://www.mediafire.com/?d3hx342xtxm The new file name is symmetric-encryption3.zip ________________________________ From: Ostermueller, Erik [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2008 2:21 PM To: [email protected] Subject: RE: Need help figuring out CryptoBase#getCertificates(alias) ok, I've re-worked my example ( download the little zip file here: http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j symmetric encryption example referenced in this thread: http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20symmetric+pag e:1+mid:wqeg3cluw4cn2fr3+state:results <BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20sym metric+page:1+mid:wqeg3cluw4cn2fr3+state:results> To get this example running, just configure the stuff in bin/setenv.cmd and run "ant client" No need to run the server -- it fails before it gets there with the message: Unexpected number of X509Data: for Signature So the error hasn't changed, but it is tough to tell whether I've got this configured correctly. At the top of the method CryptoBase.getCertificates(alias), the methods isKeyEntry(), containsAlias(), getKey() and the enum aliases on CryptoBase.keystore all seem to contain the right alias/key data. As far as I can see, the issue is that the methods mentioned above on the CryptoBase.keystore instance return good-looking data but the method getCertificateChain(alias) -- on the exact same instance -- retuns null. Thanks, --Erik -- Patrick Kobly, CISSP T: 403-274-9033 C: 403-463-6141 F: 866-786-9459 56 388 Sandarac Dr NW Calgary, Alberta T3K 4E3 http://www.kobly.com <!--[if !supportLineBreakNewLine]--> <!--[endif]--> ______________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
