ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Using Bouncy Castle instead of Merlin in WSS4J 1.6.13
Date Fri, 14 Mar 2014 16:21:50 GMT
>

*<entry key="signatureAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#sha256
<http://www.w3.org/2001/04/xmlenc#sha256>" />*
That is not a valid value for "signatureAlgorithm" as it is a digest
algorithm.

Colm.


On Fri, Mar 14, 2014 at 4:18 PM, Giriraj Bhojak <giriraj2k@gmail.com> wrote:

> I tried this through a junit after changing the algorithm. And here is
> what I got:
>
> SEVERE: java.security.NoSuchAlgorithmException: unsupported algorithm
> Mar 14, 2014 12:14:22 PM org.apache.cxf.phase.PhaseInterceptorChain
> doDefaultLogging
> WARNING: Interceptor for ....... has thrown exception, unwinding now
> Throwable occurred: org.apache.cxf.binding.soap.SoapFault: Security
> processing failed.
>     at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
>     at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
>     at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
>     at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
>     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
>     at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>     at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
>
> Caused by: org.apache.ws.security.WSSecurityException: Error during
> Signature:
>     at
> org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
>     at
> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
>     at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
>     at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
>
>
> Here is the signature entry defined in the 'out' interceptor:
> *<entry key="signatureAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#sha256
> <http://www.w3.org/2001/04/xmlenc#sha256>" />*
>
> I am not sure how to check for unlimited security policies. But since we
> would be running this on WebSphere, I don't think I have the liberty to
> have the unlimited security policies.
>
>
> Thanks,
> Giriraj.
>
>
> On Fri, Mar 14, 2014 at 5:51 AM, Colm O hEigeartaigh <coheigea@apache.org>wrote:
>
>>
>> Yes, Merlin supports SHA-256. Do you have the unlimited security policies
>> installed in the JDK?
>>
>> Colm.
>>
>>
>>
>> On Fri, Mar 14, 2014 at 3:08 AM, Giriraj Bhojak <giriraj2k@gmail.com>wrote:
>>
>>> Hello Colm,
>>>
>>> I created the keystore using standard java keytool command. I am not
>>> sure how to create a BKS keystore.
>>> When I tried using sha256 signature algorithm (by configuring
>>> signatureAlgorithm in the interceptor via CXF)with Merlin, I ran into
>>> algorithm not supported exception. sha1 signature algorithm worked properly.
>>> Doesn't merlin support sha256 signature  algorithm?
>>> Do I need to use bouncy castle in this case?
>>> Could you please help me out with it?
>>>
>>> Thanks,
>>> Giriraj.
>>> On Feb 24, 2014 5:37 AM, "Colm O hEigeartaigh" <coheigea@apache.org>
>>> wrote:
>>>
>>>>
>>>> With BouncyCastle, the Keystore type must be "BKS", so:
>>>>
>>>> org.apache.ws.security.crypto.merlin.keystore.type=BKS
>>>>
>>>> Note that the keystore itself must be compatible with BouncyCastle JKS
>>>> implementation.
>>>>
>>>> Colm.
>>>>
>>>>
>>>> On Fri, Feb 21, 2014 at 10:44 PM, Giriraj Bhojak <giriraj2k@gmail.com>wrote:
>>>>
>>>>> Hello Colm,
>>>>>
>>>>> I didn't have any success using above properties.
>>>>> I got following:
>>>>>     ... 2 more
>>>>> Caused by:
>>>>> org.apache.ws.security.components.crypto.CredentialException: Failed
to
>>>>> load credentials.
>>>>>     at
>>>>> org.apache.ws.security.components.crypto.Merlin.load(Merlin.java:376)
>>>>>     at
>>>>> org.apache.ws.security.components.crypto.Merlin.loadProperties(Merlin.java:190)
>>>>>     at
>>>>> org.apache.ws.security.components.crypto.Merlin.<init>(Merlin.java:140)
>>>>>     at
>>>>> org.apache.ws.security.components.crypto.CryptoFactory.getInstance(CryptoFactory.java:117)
>>>>>     ... 17 more
>>>>> Caused by: java.security.KeyStoreException: KeyStore jks
>>>>> implementation not found
>>>>>     at java.security.KeyStore.getInstance(KeyStore.java:122)
>>>>>     at
>>>>> org.apache.ws.security.components.crypto.Merlin.load(Merlin.java:362)
>>>>>     ... 20 more
>>>>> Caused by: java.security.KeyStoreException: KeyStore jks
>>>>> implementation not found
>>>>>     at java.security.KeyStore.getInstance(KeyStore.java:150)
>>>>>     at java.security.KeyStore.getInstance(KeyStore.java:120)
>>>>>     ... 21 more
>>>>>
>>>>> It was working with Merlin earlier. Here is my properties file:
>>>>> org.apache.ws.security.crypto.merlin.keystore.file=sample.jks
>>>>> org.apache.ws.security.crypto.merlin.keystore.password=password
>>>>> org.apache.ws.security.crypto.merlin.keystore.type=jks
>>>>> org.apache.ws.security.crypto.merlin.keystore.alias=alias1
>>>>> org.apache.ws.security.crypto.merlin.keystore.provider=BC
>>>>> org.apache.ws.security.crypto.merlin.cert.provider=BC
>>>>>
>>>>> I have bcprov-jdk12-130.jar on the classpath.
>>>>>
>>>>> Could you please help me find out what I am doing wrong here?
>>>>>
>>>>> Thanks,
>>>>> Giriraj.
>>>>>
>>>>>
>>>>> On Tue, Feb 18, 2014 at 8:39 AM, Colm O hEigeartaigh <
>>>>> coheigea@apache.org> wrote:
>>>>>
>>>>>> You can use BouncyCastle with the Merlin Crypto implementation.
>>>>>> Simply add the property:
>>>>>>
>>>>>> org.apache.ws.security.crypto.merlin.keystore.provider=BC
>>>>>> org.apache.ws.security.crypto.merlin.cert.provider=BC
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 18, 2014 at 1:27 PM, Giriraj Bhojak <giriraj2k@gmail.com>wrote:
>>>>>>
>>>>>>> We have a specific requirement to use Bouncy Castle in the project.
>>>>>>> Does this mean we can't use Bouncy Castle at all in the latest
>>>>>>> version of wss4j?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Giriraj.
>>>>>>> On Feb 18, 2014 4:51 AM, "Colm O hEigeartaigh" <coheigea@apache.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> From what I recall, there was essentially little difference
between
>>>>>>>> the Merlin and BouncyCastle Crypto implementations, hence
the latter was
>>>>>>>> removed in WSS4J 1.6.x. Why do you need to use the BouncyCastle
>>>>>>>> implementation, i.e. what is the Merlin implementation not
doing for you?
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Feb 17, 2014 at 7:56 PM, Giriraj Bhojak <
>>>>>>>> giriraj2k@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I need to use Bouncy Castle provider with WSS4J 1.6.13.
>>>>>>>>> Merlin is used by default since 1.6.x.
>>>>>>>>> Could anyone explain why this was done?
>>>>>>>>> I mean was there something with Bouncy Castle that prompted
this
>>>>>>>>> change?
>>>>>>>>>
>>>>>>>>> And is following set of keys the right way to use Bouncy
Castle
>>>>>>>>> with WSS4J (found this from
>>>>>>>>> https://community.oracle.com/thread/1529571?tstart=1872)?
>>>>>>>>>
>>>>>>>>> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.BouncyCastle
>>>>>>>>> org.apache.ws.security.crypto.merlin.keystore.type=PKCS12
>>>>>>>>> org.apache.ws.security.crypto.merlin.keystore.password=password
>>>>>>>>> org.apache.ws.security.crypto.merlin.keystore.alias=alias
>>>>>>>>> org.apache.ws.security.crypto.merlin.alias.password=password
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Giriraj.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Colm O hEigeartaigh
>>>>>>>>
>>>>>>>> Talend Community Coder
>>>>>>>> http://coders.talend.com
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Colm O hEigeartaigh
>>>>>>
>>>>>> Talend Community Coder
>>>>>> http://coders.talend.com
>>>>>>
>>>>>> --
>>>>>> Colm O hEigeartaigh
>>>>>>
>>>>>> Talend Community Coder
>>>>>> <http://coders.talend.com>http://coders.talend.com
>>>>>>
>>>>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message