cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaybytez <jayby...@yahoo.com>
Subject KeyName within a Digital Signature - Configurable?
Date Mon, 01 Aug 2011 20:40:59 GMT
I am currently working with CXF/WSS4J to try and produce a digital signature.

I believe I have all the correct options in place with the following code:

*Spring Context*

    <bean id="wss4jOutInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
	  <constructor-arg>
            <map>
               <entry key="action" value="Signature"/>
               <entry key="user" value="username"/>
               <entry key="signatureUser" value="username" />
               <entry key="signatureKeyIdentifier"
value="X509KeyIdentifier"/>
               <entry key="signatureParts"
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>  
               <entry key="signaturePropFile"
value="signature-wss4j.properties"/>
				<entry key="passwordCallbackRef">
					<bean class="com.foo.PasswordCallbackHandler">
						<property name="password" value="password"/>
					</bean>
                </entry>
            </map>
         </constructor-arg>
      </bean>
	  
*signature-wss4j.properties*


org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
	org.apache.ws.security.crypto.merlin.keystore.type=jks
	org.apache.ws.security.crypto.merlin.keystore.password=password
	org.apache.ws.security.crypto.merlin.keystore.alias=username
	org.apache.ws.security.crypto.merlin.file=keystore.jks


When I submit my request using the previous interceptor configuration which
is configured via the org.apache.cxf.jaxws.JaxWsProxyFactoryBean, the SOA
product we are submitting to fails to auth the signature (and says "Failed
to gather credentials").

The products documentation states the following:

/
>From the SOA Security Manager manual: 
*Required XML Document Elements for XML-DSIG Authentication* 
For the XML-DSIG authentication scheme to work, the XML document sent by the
web service consumer must contain the following elements: 
*<Signature>* 
As the parent element for the XML signature, it specifies all information
relevant to the digital signature.  To verify the signature, SOA Security
Manager requires that an X.509 certificate be part of the <Signature>
element in the XML document. Because the Policy Server does not interact
with a Certificate Authority for this scheme, you must configure a
certificate mapping that maps the Issuer DN in the certificate to a
corresponding entry in the referenced user store. For LDAP user directories
only, you can configure the certificate mapping to require that a copy of
the certificate is in the user store to be compared against the certificate
in the document. 
*<KeyInfo>* 
This element specifies the key needed to validate the signature. This
information may include keys, names, and certificates for the sender. For
the Policy Server to authenticate a client, this element must have enough
information to determine the public key that created the signature. 
*<KeyName>* 
This is a child element of <KeyInfo>; it contains a string value that
identifies the key to the recipient of the XML document. This string could
be a key index, a distinguished name (DN), or an email address, for
example./

So the thought is that I am missing KeyName in the signature that is getting
generated, but I haven't found any properties that would let me set that
value in the KeyInfo.  Are there properties that would give me control of
this?

I have read through the CXF documentation, Spring Web Services (for WSS4J
examples), WSS4J, and FuseSource Security docs...but I can't seem to find
what I am looking for.

Thanks for the time and help,

Jay Blanton

--
View this message in context: http://cxf.547215.n5.nabble.com/KeyName-within-a-Digital-Signature-Configurable-tp4656619p4656619.html
Sent from the cxf-user mailing list archive at Nabble.com.

Mime
View raw message