7

I want to sign webservice requests using Apache CXF and WSS4J. As far as I know, I would need a JKS store containing the certificate I want to use for signing. There's the requirement to be able to use a X.509 certificate from the Windows certificate store. The certificate shall be read from the store at the time of signing the webservice request. I know how to access the store and get the certificate. But how can I use it for signing instead of the certificate from my own JKS store?

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
tobiasbayer
  • 10,269
  • 4
  • 46
  • 64
  • Certificates are not used for signing, keys are. Do you have access to a private key? In which case you can actually sign something. – Andrew White Dec 06 '10 at 01:01

3 Answers3

1

Just found it's possible to achieve using MerlinDevice class. That's how its done:

1) Configuring properties for WSS4JOutInterceptor:

Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, "Friendly_name_of_your_certificate");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, StupidCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client_sign.properties");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);

2) The client_sign.properties file looks like this:

org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.MerlinDevice
keystore.provider=SunMSCAPI
cert.provider=SunMSCAPI
keystore.type=Windows-MY
truststore.type=Windows-ROOT

3) And StupidCallback just returns constant string as a password (its value doesn't really matter):

public class StupidCallback implements CallbackHandler
{
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
    {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        pc.setPassword("password");
    }
}

That's all.

Cat Mucius
  • 11
  • 5
1

The KeyStore need not be a JKS one. You might write your own JCA Provider and implement KeyStoreSpi, and have it access the Windows certificate store.

adrianboimvaser
  • 2,651
  • 1
  • 22
  • 30
0

Look at this that explains how to use the windows keystore. Then you have to configure CXF to use that keystore.

Community
  • 1
  • 1
lujop
  • 13,504
  • 9
  • 62
  • 95
  • How can I tell CXF to use that store? – tobiasbayer Dec 03 '10 at 10:43
  • There doesn't seem to be any good way to do it. There's a suggestion to use a Java-COM bridge here: http://objectmix.com/java/76948-accessing-certificates-windows-system-stores-java.html . This answer suggests that you'll be stuck in JNI hell: https://lists.owasp.org/pipermail/owasp-webscarab/2010-October/001123.html – rtperson Dec 27 '10 at 14:22
  • However, if they store the certs in Active Directory, then it'll be accessible through LDAP and JNDI. That's what I would recommend. Let me know if you'd like some sample code, and I'll post it as an answer. – rtperson Dec 27 '10 at 14:37