Erik, the WSS4J library and the associated Axis-1 and Axis-2 drivers implement (most) of the OASIS Web Service Security specifications which in turn re-use the XML signature and XML encryption specs published by W3C. Thus to fully understand the principles behind WSS4J you should refer to the OASIS specs. These specs define so called profiles that define when and how to use cerificates (or not) and their interaction with encryption, encrypted keys, passwords and so on.
Using Web Service Security needs careful planning of the required steps and the required security (as you pointed out in your e-mail). On top of that it is IMHO necessary to understand the basic principles of the OASIS specifications to see what is possible and what's not possible. The WSS4J source tree contains documentation and programs the implement the interoperaibilty tests. These tests use various forms on encryption, signature, etc. Maybe these programs and docs can support your activities. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: ext Ostermueller, Erik [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 25. Juni 2008 21:12 > An: Patrick J Kobly > Cc: [email protected] > Betreff: RE: Need help figuring out CryptoBase#getCertificates(alias) > > Patrick wrote: > >> How is it that you'd expect to get a certificate for / related to a > symmetric key? > >> What would you expect such a certificate to look like? > >> What would you expect a signature using only a symmetric key would > look like? > > Those are good questions. I was expecting a certificate b/c the code > was expecting a certificate and I didn't know any better. > If no certs are found, this CryptoBase#getCertificates(alias) method > returns a null which triggers an exception downstream. > So I learned that "if symmetric algorithm --> then > certificates are not > relevant/used." > > That leads to my back to the original problem of how do you sign > something when using symmetric keys. > I just checked and the xml sig spec allows for this. When > signing with > symmetric key, the sig is called a message authentication code/mac. > The wss4j test referenced below looks like it configured to > do all this. > > > Is there a doc somewhere that that tells how to run the > tests? I'd like > to verify whether this is a currently supported test and is working > correctly? > Then, I'll have to figure out why this axis-based 'mac' example works > and my cxf-based mac example is stuck looking for non-existant > certificates. > > So, some help launching the tests would be nice. > > --Erik > > > > ________________________________ > > From: Patrick J Kobly [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2008 3:31 PM > To: Ostermueller, Erik > Cc: [email protected] > Subject: Re: Need help figuring out CryptoBase#getCertificates(alias) > > > How is it that you'd expect to get a certificate for / related to a > symmetric key? What would you expect such a certificate to look like? > What would you expect a signature using only a symmetric key > would look > like? > > The discussion related to the embedded key stuff relates (predictably) > only to encryption and not to signature (as would be expected of any > symmetric scheme), yet you seem to be trying to do signature stuff... > > What is it you are trying to accomplish here? > > PK > > Ostermueller, Erik wrote: > > Whoops! Previous file is bad. Try this one: > http://www.mediafire.com/?d3hx342xtxm > > The new file name is symmetric-encryption3.zip > > ________________________________ > > From: Ostermueller, Erik [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 24, 2008 2:21 PM > To: [email protected] > Subject: RE: Need help figuring out > CryptoBase#getCertificates(alias) > > > ok, I've re-worked my example ( download the little zip file > here: http://www.mediafire.com/?mcdmogmnv4x ) following the wss4j > symmetric encryption example referenced in this thread: > http://markmail.org/message/swsdex5tinkfht42#query:wss4j%20sym > metric+pag > e:1+mid:wqeg3cluw4cn2fr3+state:results > <BLOCKED::http://markmail.org/message/swsdex5tinkfht42#query:w > ss4j%20sym > metric+page:1+mid:wqeg3cluw4cn2fr3+state:results> > > To get this example running, just configure the stuff in > bin/setenv.cmd and run "ant client" > No need to run the server -- it fails before it gets there with > the message: Unexpected number of X509Data: for Signature > So the error hasn't changed, but it is tough to tell whether > I've got this configured correctly. > > At the top of the method CryptoBase.getCertificates(alias), the > methods isKeyEntry(), containsAlias(), getKey() and the enum > aliases on > CryptoBase.keystore all seem to contain the right alias/key data. > > As far as I can see, the issue is that the methods mentioned > above on the CryptoBase.keystore instance return good-looking data but > the method getCertificateChain(alias) -- on the exact same instance -- > retuns null. > > Thanks, > --Erik > > > > > > -- > > > Patrick Kobly, CISSP > > T: 403-274-9033 > > C: 403-463-6141 > > F: 866-786-9459 > > 56 388 Sandarac Dr NW > Calgary, Alberta > T3K 4E3 > http://www.kobly.com > <!--[if !supportLineBreakNewLine]--> > <!--[endif]--> > > ______________ > > The information contained in this message is proprietary > and/or confidential. If you are not the > intended recipient, please: (i) delete the message and all > copies; (ii) do not disclose, > distribute or use the message in any manner; and (iii) notify > the sender immediately. In addition, > please be aware that any message addressed to our domain is > subject to archiving and review by > persons other than the intended recipient. Thank you. > _____________ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
