I want to sign webservice requests using Apache CXF and WSS4J. As far as I know, I would need a JKS store containing the certificate I want to use for signing. There's the requirement to be able to use a X.509 certificate from the Windows certificate store. The certificate shall be read from the store at the time of signing the webservice request. I know how to access the store and get the certificate. But how can I use it for signing instead of the certificate from my own JKS store?
Asked
Active
Viewed 963 times
7
-
Certificates are not used for signing, keys are. Do you have access to a private key? In which case you can actually sign something. – Andrew White Dec 06 '10 at 01:01
3 Answers
1
Just found it's possible to achieve using MerlinDevice
class.
That's how its done:
1) Configuring properties for WSS4JOutInterceptor
:
Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, "Friendly_name_of_your_certificate");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, StupidCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client_sign.properties");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
2) The client_sign.properties
file looks like this:
org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.MerlinDevice
keystore.provider=SunMSCAPI
cert.provider=SunMSCAPI
keystore.type=Windows-MY
truststore.type=Windows-ROOT
3) And StupidCallback
just returns constant string as a password (its value doesn't really matter):
public class StupidCallback implements CallbackHandler
{
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
pc.setPassword("password");
}
}
That's all.

Cat Mucius
- 11
- 5
1
The KeyStore need not be a JKS one. You might write your own JCA Provider and implement KeyStoreSpi, and have it access the Windows certificate store.

adrianboimvaser
- 2,651
- 1
- 22
- 30
0
Look at this that explains how to use the windows keystore. Then you have to configure CXF to use that keystore.
-
-
There doesn't seem to be any good way to do it. There's a suggestion to use a Java-COM bridge here: http://objectmix.com/java/76948-accessing-certificates-windows-system-stores-java.html . This answer suggests that you'll be stuck in JNI hell: https://lists.owasp.org/pipermail/owasp-webscarab/2010-October/001123.html – rtperson Dec 27 '10 at 14:22
-
However, if they store the certs in Active Directory, then it'll be accessible through LDAP and JNDI. That's what I would recommend. Let me know if you'd like some sample code, and I'll post it as an answer. – rtperson Dec 27 '10 at 14:37