Solved

Signing a XML request

Posted on 2011-03-15
2
550 Views
Last Modified: 2012-05-11
Hi, I want to sign a XMl request using Axis WSS4J framework, and I had a question related to this. Before that, here is what I have got:

A JKS keystore:
*******************
Keystore type: jks
Keystore provider: SUN

Alias name: business
Creation date: 7/03/2011
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Test Test, OU=Test, O=Test, L=Test, ST=Test, C=IN
Issuer: CN=Test Test, OU=Test, O=Test, L=Test, ST=Test, C=IN
Serial number: 4d74a0ac
Valid from: Mon Mar 07 20:09:00 EST 2011 until: Sun Jun 05 19:09:00 EST 2011
Certificate fingerprints:
         MD5:  09:55:E3:C2:A8:60:D6:4E:E2:56:6A:07:0D:57:4A:66
         SHA1: 30:9B:7C:CC:E2:D0:89:1A:43:34:E8:33:C7:8D:AD:FA:A6:CB:81:30
**************

a WSDD file with following entries (along with others)
**************
<requestFlow >
    <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
    <parameter name="action" value="Signature"/>
    <parameter name="signatureKeyIdentifier" value="DirectReference"/>
    <parameter name="user" value="business"/>
    <parameter name="SIG_PROP_FILE" value="crypto.properties"/>  
     </handler>
   </requestFlow >
*****************

crypto.properties
*********************

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=mykeystore
org.apache.ws.security.crypto.merlin.keystore.alias=business
org.apache.ws.security.crypto.merlin.file=<dir-name>/mykeystore
**********************

My keystore contains both the public key (embedded in the certificate) and the private key which is not visible (but it is there since I used -genkey option that creates the pair. I also verified by extracting the private key through java code).

My first question is whether <parameter name="user" value="business"/> property in the WSDD file enable handler to pick the private key for signing? I am asking because both the public and the private key are there and they are being referenced by the single alias i.e. "business". So, how would handler know which key to use to sign the XML request.

any help please?

Thanks a lot.
Leo

0
Comment
Question by:LeoKris
2 Comments
 
LVL 92

Accepted Solution

by:
objects earned 500 total points
Comment Utility
> So, how would handler know which key to use to sign the XML request.

private keys are used for signing, not public keys
0
 

Author Closing Comment

by:LeoKris
Comment Utility
Thanks objects.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now