Send X509Certificate with request

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Send X509Certificate with request

Michael Szalay-2

Hi all

I have a question using Apache CXF as a client for a web service.
I would like to send a certificate within the request for mutual authentication.

How can I programmatically add a certificate to the request?
I looked for a method like TLSClientParameters.addCertificate but
I have not found somehing like that.

Regards

Michael

Reply | Threaded
Open this post in threaded view
|

Re: Send X509Certificate with request

Glen Mazza
Administrator
http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the ?

HTH,
Glen

mszalay wrote
Hi all

I have a question using Apache CXF as a client for a web service.
I would like to send a certificate within the request for mutual authentication.

How can I programmatically add a certificate to the request?
I looked for a method like TLSClientParameters.addCertificate but
I have not found somehing like that.

Regards

Michael
Reply | Threaded
Open this post in threaded view
|

AW: Send X509Certificate with request

Michael Szalay-2
In reply to this post by Michael Szalay-2

Thanks for the link. But the document describes the signing of the request, not adding a certificate to the http request for
mutual authentication, right?

Regards

Michael

-----Ursprüngliche Nachricht-----
Von: Glen Mazza [mailto:[hidden email]]
Gesendet: Mittwoch, 20. Mai 2009 15:19
An: [hidden email]
Betreff: Re: Send X509Certificate with request



http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the ?

HTH,
Glen


mszalay wrote:

>
> Hi all
>
> I have a question using Apache CXF as a client for a web service.
> I would like to send a certificate within the request for mutual
> authentication.
>
> How can I programmatically add a certificate to the request?
> I looked for a method like TLSClientParameters.addCertificate but
> I have not found somehing like that.
>
> Regards
>
> Michael
>

--
View this message in context: http://www.nabble.com/Send-X509Certificate-with-request-tp23629705p23635273.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: AW: Send X509Certificate with request

tbee
AFAIK you do not add a certificate to the request, the request only is
signed. Certificates are added to the keystores on each side, so the
signature can be created / verified.

Tom



Michael Szalay wrote:

> Thanks for the link. But the document describes the signing of the request, not adding a certificate to the http request for
> mutual authentication, right?
>
> Regards
>
> Michael
>
> -----Ursprüngliche Nachricht-----
> Von: Glen Mazza [mailto:[hidden email]]
> Gesendet: Mittwoch, 20. Mai 2009 15:19
> An: [hidden email]
> Betreff: Re: Send X509Certificate with request
>
>
>
> http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the ?
>
> HTH,
> Glen
>
>
> mszalay wrote:
>  
>> Hi all
>>
>> I have a question using Apache CXF as a client for a web service.
>> I would like to send a certificate within the request for mutual
>> authentication.
>>
>> How can I programmatically add a certificate to the request?
>> I looked for a method like TLSClientParameters.addCertificate but
>> I have not found somehing like that.
>>
>> Regards
>>
>> Michael
>>
>>    
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: AW: Send X509Certificate with request

Glen Mazza
Administrator
In reply to this post by Michael Szalay-2
I'm unsure whether or not it automatically adds the certificate as a part of the signing/encrypting (perhaps not).

Glen

mszalay wrote
Thanks for the link. But the document describes the signing of the request, not adding a certificate to the http request for
mutual authentication, right?

Regards

Michael

-----Ursprüngliche Nachricht-----
Von: Glen Mazza [mailto:glen.mazza@gmail.com]
Gesendet: Mittwoch, 20. Mai 2009 15:19
An: users@cxf.apache.org
Betreff: Re: Send X509Certificate with request



http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the ?

HTH,
Glen


mszalay wrote:
>
> Hi all
>
> I have a question using Apache CXF as a client for a web service.
> I would like to send a certificate within the request for mutual
> authentication.
>
> How can I programmatically add a certificate to the request?
> I looked for a method like TLSClientParameters.addCertificate but
> I have not found somehing like that.
>
> Regards
>
> Michael
>

--
View this message in context: http://www.nabble.com/Send-X509Certificate-with-request-tp23629705p23635273.html
Sent from the cxf-user mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: AW: Send X509Certificate with request

Daniel Kulp
Administrator
In reply to this post by tbee
On Wed May 20 2009 9:32:34 am Tom wrote:
> AFAIK you do not add a certificate to the request, the request only is
> signed. Certificates are added to the keystores on each side, so the
> signature can be created / verified.

Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
token type, then the Security engine would output an RSAKeyValue key in the
security header which WOULD be the full key.      That key can then be used to
sign the message, encrypt, etc....   Not really "secure", but useful for an
endorsing mechanism.

On the receiving side, you WOULD need to write a callback handler to validate
the key.   By default, WSS4J will reject the key as it won't know whether to
trust it or not.

Dan

>
> Tom
>
> Michael Szalay wrote:
> > Thanks for the link. But the document describes the signing of the
> > request, not adding a certificate to the http request for mutual
> > authentication, right?
> >
> > Regards
> >
> > Michael
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Glen Mazza [mailto:[hidden email]]
> > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > An: [hidden email]
> > Betreff: Re: Send X509Certificate with request
> >
> >
> >
> > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the ?
> >
> > HTH,
> > Glen
> >
> > mszalay wrote:
> >> Hi all
> >>
> >> I have a question using Apache CXF as a client for a web service.
> >> I would like to send a certificate within the request for mutual
> >> authentication.
> >>
> >> How can I programmatically add a certificate to the request?
> >> I looked for a method like TLSClientParameters.addCertificate but
> >> I have not found somehing like that.
> >>
> >> Regards
> >>
> >> Michael

--
Daniel Kulp
[hidden email]
http://www.dankulp.com/blog
Reply | Threaded
Open this post in threaded view
|

Re: AW: Send X509Certificate with request

Mayank Mishra-3
Hi Michael,

I remember one way to send the public key certificate with your request from
client to server. There is a "DirectReference" KeyIdentifier for Signature
operation (make "signatureKeyIdentifier" property to "DirectReference").

If we use this your certificate is included as a BinarySecurityToken (BST)
in the message and a direct reference to this BST is used. But at the
receiving side (say on server) you have to manually tweak the code of WSS4J
to extract out the certificate yourself.

With Regards,
Mayank

On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:

> On Wed May 20 2009 9:32:34 am Tom wrote:
> > AFAIK you do not add a certificate to the request, the request only is
> > signed. Certificates are added to the keystores on each side, so the
> > signature can be created / verified.
>
> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
> token type, then the Security engine would output an RSAKeyValue key in the
> security header which WOULD be the full key.      That key can then be used
> to
> sign the message, encrypt, etc....   Not really "secure", but useful for an
> endorsing mechanism.
>
> On the receiving side, you WOULD need to write a callback handler to
> validate
> the key.   By default, WSS4J will reject the key as it won't know whether
> to
> trust it or not.
>
> Dan
>
> >
> > Tom
> >
> > Michael Szalay wrote:
> > > Thanks for the link. But the document describes the signing of the
> > > request, not adding a certificate to the http request for mutual
> > > authentication, right?
> > >
> > > Regards
> > >
> > > Michael
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Glen Mazza [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > > An: [hidden email]
> > > Betreff: Re: Send X509Certificate with request
> > >
> > >
> > >
> > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
> > >
> > > HTH,
> > > Glen
> > >
> > > mszalay wrote:
> > >> Hi all
> > >>
> > >> I have a question using Apache CXF as a client for a web service.
> > >> I would like to send a certificate within the request for mutual
> > >> authentication.
> > >>
> > >> How can I programmatically add a certificate to the request?
> > >> I looked for a method like TLSClientParameters.addCertificate but
> > >> I have not found somehing like that.
> > >>
> > >> Regards
> > >>
> > >> Michael
>
> --
> Daniel Kulp
> [hidden email]
> http://www.dankulp.com/blog
>
Reply | Threaded
Open this post in threaded view
|

RE: AW: Send X509Certificate with request

Eamonn Dwyer
Hi Michael
I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
<cxfsec:clientAuthentication want="true" required="true"/>

Regards,
Eamonn

-----Original Message-----
From: Mayank Mishra [mailto:[hidden email]]
Sent: 25 May 2009 12:51
To: [hidden email]
Subject: Re: AW: Send X509Certificate with request

Hi Michael,

I remember one way to send the public key certificate with your request from
client to server. There is a "DirectReference" KeyIdentifier for Signature
operation (make "signatureKeyIdentifier" property to "DirectReference").

If we use this your certificate is included as a BinarySecurityToken (BST)
in the message and a direct reference to this BST is used. But at the
receiving side (say on server) you have to manually tweak the code of WSS4J
to extract out the certificate yourself.

With Regards,
Mayank

On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:

> On Wed May 20 2009 9:32:34 am Tom wrote:
> > AFAIK you do not add a certificate to the request, the request only is
> > signed. Certificates are added to the keystores on each side, so the
> > signature can be created / verified.
>
> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
> token type, then the Security engine would output an RSAKeyValue key in the
> security header which WOULD be the full key.      That key can then be used
> to
> sign the message, encrypt, etc....   Not really "secure", but useful for an
> endorsing mechanism.
>
> On the receiving side, you WOULD need to write a callback handler to
> validate
> the key.   By default, WSS4J will reject the key as it won't know whether
> to
> trust it or not.
>
> Dan
>
> >
> > Tom
> >
> > Michael Szalay wrote:
> > > Thanks for the link. But the document describes the signing of the
> > > request, not adding a certificate to the http request for mutual
> > > authentication, right?
> > >
> > > Regards
> > >
> > > Michael
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Glen Mazza [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > > An: [hidden email]
> > > Betreff: Re: Send X509Certificate with request
> > >
> > >
> > >
> > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
> > >
> > > HTH,
> > > Glen
> > >
> > > mszalay wrote:
> > >> Hi all
> > >>
> > >> I have a question using Apache CXF as a client for a web service.
> > >> I would like to send a certificate within the request for mutual
> > >> authentication.
> > >>
> > >> How can I programmatically add a certificate to the request?
> > >> I looked for a method like TLSClientParameters.addCertificate but
> > >> I have not found somehing like that.
> > >>
> > >> Regards
> > >>
> > >> Michael
>
> --
> Daniel Kulp
> [hidden email]
> http://www.dankulp.com/blog
>
Reply | Threaded
Open this post in threaded view
|

AW: AW: Send X509Certificate with request

Michael Szalay-2
In reply to this post by Michael Szalay-2
Hi

yes, thats that I was looking for. Its just the tls authentication...

Is there a programmatic way to set that property you mentioned to a client to send a specific certificate?

Regards Michael


-----Ursprüngliche Nachricht-----
Von: Eamonn Dwyer [mailto:[hidden email]]
Gesendet: Dienstag, 26. Mai 2009 11:42
An: [hidden email]
Betreff: RE: AW: Send X509Certificate with request


Hi Michael
I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
<cxfsec:clientAuthentication want="true" required="true"/>

Regards,
Eamonn

-----Original Message-----
From: Mayank Mishra [mailto:[hidden email]]
Sent: 25 May 2009 12:51
To: [hidden email]
Subject: Re: AW: Send X509Certificate with request

Hi Michael,

I remember one way to send the public key certificate with your request from
client to server. There is a "DirectReference" KeyIdentifier for Signature
operation (make "signatureKeyIdentifier" property to "DirectReference").

If we use this your certificate is included as a BinarySecurityToken (BST)
in the message and a direct reference to this BST is used. But at the
receiving side (say on server) you have to manually tweak the code of WSS4J
to extract out the certificate yourself.

With Regards,
Mayank

On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:

> On Wed May 20 2009 9:32:34 am Tom wrote:
> > AFAIK you do not add a certificate to the request, the request only is
> > signed. Certificates are added to the keystores on each side, so the
> > signature can be created / verified.
>
> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
> token type, then the Security engine would output an RSAKeyValue key in the
> security header which WOULD be the full key.      That key can then be used
> to
> sign the message, encrypt, etc....   Not really "secure", but useful for an
> endorsing mechanism.
>
> On the receiving side, you WOULD need to write a callback handler to
> validate
> the key.   By default, WSS4J will reject the key as it won't know whether
> to
> trust it or not.
>
> Dan
>
> >
> > Tom
> >
> > Michael Szalay wrote:
> > > Thanks for the link. But the document describes the signing of the
> > > request, not adding a certificate to the http request for mutual
> > > authentication, right?
> > >
> > > Regards
> > >
> > > Michael
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Glen Mazza [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > > An: [hidden email]
> > > Betreff: Re: Send X509Certificate with request
> > >
> > >
> > >
> > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
> > >
> > > HTH,
> > > Glen
> > >
> > > mszalay wrote:
> > >> Hi all
> > >>
> > >> I have a question using Apache CXF as a client for a web service.
> > >> I would like to send a certificate within the request for mutual
> > >> authentication.
> > >>
> > >> How can I programmatically add a certificate to the request?
> > >> I looked for a method like TLSClientParameters.addCertificate but
> > >> I have not found somehing like that.
> > >>
> > >> Regards
> > >>
> > >> Michael
>
> --
> Daniel Kulp
> [hidden email]
> http://www.dankulp.com/blog
>
Reply | Threaded
Open this post in threaded view
|

Re: AW: AW: Send X509Certificate with request

Mary Thompson
Hi Eamonn,
   In TLS mutual authentication the client does not send a certificate.
If the server has been configured for clientAuthentication, the server
sends a challenge message to the client requesting that it reply with a
signed version of the challenge. The client looks to see what user it is
running as. This is probably in some configuration file completely
separate from any of the WS-security stuff which is all about signing
the soap messages.

I haven't tried to use cxf https yet, but you should be looking for a
username that indexes to a keyEntry in some keystore or else just a
pkcs12 file (or a keystore with just one keyentry) for the client.

I just found this link which seems relevant
http://osdir.com/ml/java.jetty.support/2003-01/msg00243.html. Apparently
in the Java implementations the server sends a list of acceptable certs
or cert issuers, which the client tries to match.  There is a
setKeyStore method in
org.mortbay.jetty.security.SslSocketConnector
you could use to select a keystore with just one keyentry, which might
do what you want.

Hope this helps a bit. There tends to be a lot of confusion about users,
keys and certificates especially if you are using both TLS and WS-Security.

Mary

Michael Szalay wrote:

> Hi
>
> yes, thats that I was looking for. Its just the tls authentication...
>
> Is there a programmatic way to set that property you mentioned to a client to send a specific certificate?
>
> Regards Michael
>
>
> -----Ursprüngliche Nachricht-----
> Von: Eamonn Dwyer [mailto:[hidden email]]
> Gesendet: Dienstag, 26. Mai 2009 11:42
> An: [hidden email]
> Betreff: RE: AW: Send X509Certificate with request
>
>
> Hi Michael
> I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
> For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
> <cxfsec:clientAuthentication want="true" required="true"/>
>
> Regards,
> Eamonn
>
> -----Original Message-----
> From: Mayank Mishra [mailto:[hidden email]]
> Sent: 25 May 2009 12:51
> To: [hidden email]
> Subject: Re: AW: Send X509Certificate with request
>
> Hi Michael,
>
> I remember one way to send the public key certificate with your request from
> client to server. There is a "DirectReference" KeyIdentifier for Signature
> operation (make "signatureKeyIdentifier" property to "DirectReference").
>
> If we use this your certificate is included as a BinarySecurityToken (BST)
> in the message and a direct reference to this BST is used. But at the
> receiving side (say on server) you have to manually tweak the code of WSS4J
> to extract out the certificate yourself.
>
> With Regards,
> Mayank
>
> On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:
>
>> On Wed May 20 2009 9:32:34 am Tom wrote:
>>> AFAIK you do not add a certificate to the request, the request only is
>>> signed. Certificates are added to the keystores on each side, so the
>>> signature can be created / verified.
>> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
>> token type, then the Security engine would output an RSAKeyValue key in the
>> security header which WOULD be the full key.      That key can then be used
>> to
>> sign the message, encrypt, etc....   Not really "secure", but useful for an
>> endorsing mechanism.
>>
>> On the receiving side, you WOULD need to write a callback handler to
>> validate
>> the key.   By default, WSS4J will reject the key as it won't know whether
>> to
>> trust it or not.
>>
>> Dan
>>
>>> Tom
>>>
>>> Michael Szalay wrote:
>>>> Thanks for the link. But the document describes the signing of the
>>>> request, not adding a certificate to the http request for mutual
>>>> authentication, right?
>>>>
>>>> Regards
>>>>
>>>> Michael
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Glen Mazza [mailto:[hidden email]]
>>>> Gesendet: Mittwoch, 20. Mai 2009 15:19
>>>> An: [hidden email]
>>>> Betreff: Re: Send X509Certificate with request
>>>>
>>>>
>>>>
>>>> http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
>>>>
>>>> HTH,
>>>> Glen
>>>>
>>>> mszalay wrote:
>>>>> Hi all
>>>>>
>>>>> I have a question using Apache CXF as a client for a web service.
>>>>> I would like to send a certificate within the request for mutual
>>>>> authentication.
>>>>>
>>>>> How can I programmatically add a certificate to the request?
>>>>> I looked for a method like TLSClientParameters.addCertificate but
>>>>> I have not found somehing like that.
>>>>>
>>>>> Regards
>>>>>
>>>>> Michael
>> --
>> Daniel Kulp
>> [hidden email]
>> http://www.dankulp.com/blog
>>

Reply | Threaded
Open this post in threaded view
|

RE: AW: AW: Send X509Certificate with request

Eamonn Dwyer
Hi Mary
Thanks for that. However my understanding of TLS mutual authentication is that the client does send a certificate. I had a look at the TLS spec (http://www.ietf.org/rfc/rfc2246.txt) and quoted it below. I think it agrees with me -
 
"Following the hello messages, the server will send its certificate,
   if it is to be authenticated. Additionally, a server key exchange
   message may be sent, if it is required (e.g. if their server has no
   certificate, or if its certificate is for signing only). If the
   server is authenticated, it may request a certificate from the
   client, if that is appropriate to the cipher suite selected. Now the
   server will send the server hello done message, indicating that the
   hello-message phase of the handshake is complete. The server will
   then wait for a client response. If the server has sent a certificate
   request message, the client must send the certificate message. The
   client key exchange message is now sent, and the content of that
   message will depend on the public key algorithm selected between the
   client hello and the server hello. If the client has sent a
   certificate with signing ability, a digitally-signed certificate
   verify message is sent to explicitly verify the certificate."


Kind Regards,
Eamonn



-----Original Message-----
From: Mary Thompson [mailto:[hidden email]]
Sent: 26 May 2009 22:35
To: [hidden email]
Subject: Re: AW: AW: Send X509Certificate with request

Hi Eamonn,
   In TLS mutual authentication the client does not send a certificate.
If the server has been configured for clientAuthentication, the server
sends a challenge message to the client requesting that it reply with a
signed version of the challenge. The client looks to see what user it is
running as. This is probably in some configuration file completely
separate from any of the WS-security stuff which is all about signing
the soap messages.

I haven't tried to use cxf https yet, but you should be looking for a
username that indexes to a keyEntry in some keystore or else just a
pkcs12 file (or a keystore with just one keyentry) for the client.

I just found this link which seems relevant
http://osdir.com/ml/java.jetty.support/2003-01/msg00243.html. Apparently
in the Java implementations the server sends a list of acceptable certs
or cert issuers, which the client tries to match.  There is a
setKeyStore method in
org.mortbay.jetty.security.SslSocketConnector
you could use to select a keystore with just one keyentry, which might
do what you want.

Hope this helps a bit. There tends to be a lot of confusion about users,
keys and certificates especially if you are using both TLS and WS-Security.

Mary

Michael Szalay wrote:

> Hi
>
> yes, thats that I was looking for. Its just the tls authentication...
>
> Is there a programmatic way to set that property you mentioned to a client to send a specific certificate?
>
> Regards Michael
>
>
> -----Ursprüngliche Nachricht-----
> Von: Eamonn Dwyer [mailto:[hidden email]]
> Gesendet: Dienstag, 26. Mai 2009 11:42
> An: [hidden email]
> Betreff: RE: AW: Send X509Certificate with request
>
>
> Hi Michael
> I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
> For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
> <cxfsec:clientAuthentication want="true" required="true"/>
>
> Regards,
> Eamonn
>
> -----Original Message-----
> From: Mayank Mishra [mailto:[hidden email]]
> Sent: 25 May 2009 12:51
> To: [hidden email]
> Subject: Re: AW: Send X509Certificate with request
>
> Hi Michael,
>
> I remember one way to send the public key certificate with your request from
> client to server. There is a "DirectReference" KeyIdentifier for Signature
> operation (make "signatureKeyIdentifier" property to "DirectReference").
>
> If we use this your certificate is included as a BinarySecurityToken (BST)
> in the message and a direct reference to this BST is used. But at the
> receiving side (say on server) you have to manually tweak the code of WSS4J
> to extract out the certificate yourself.
>
> With Regards,
> Mayank
>
> On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:
>
>> On Wed May 20 2009 9:32:34 am Tom wrote:
>>> AFAIK you do not add a certificate to the request, the request only is
>>> signed. Certificates are added to the keystores on each side, so the
>>> signature can be created / verified.
>> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
>> token type, then the Security engine would output an RSAKeyValue key in the
>> security header which WOULD be the full key.      That key can then be used
>> to
>> sign the message, encrypt, etc....   Not really "secure", but useful for an
>> endorsing mechanism.
>>
>> On the receiving side, you WOULD need to write a callback handler to
>> validate
>> the key.   By default, WSS4J will reject the key as it won't know whether
>> to
>> trust it or not.
>>
>> Dan
>>
>>> Tom
>>>
>>> Michael Szalay wrote:
>>>> Thanks for the link. But the document describes the signing of the
>>>> request, not adding a certificate to the http request for mutual
>>>> authentication, right?
>>>>
>>>> Regards
>>>>
>>>> Michael
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Glen Mazza [mailto:[hidden email]]
>>>> Gesendet: Mittwoch, 20. Mai 2009 15:19
>>>> An: [hidden email]
>>>> Betreff: Re: Send X509Certificate with request
>>>>
>>>>
>>>>
>>>> http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
>>>>
>>>> HTH,
>>>> Glen
>>>>
>>>> mszalay wrote:
>>>>> Hi all
>>>>>
>>>>> I have a question using Apache CXF as a client for a web service.
>>>>> I would like to send a certificate within the request for mutual
>>>>> authentication.
>>>>>
>>>>> How can I programmatically add a certificate to the request?
>>>>> I looked for a method like TLSClientParameters.addCertificate but
>>>>> I have not found somehing like that.
>>>>>
>>>>> Regards
>>>>>
>>>>> Michael
>> --
>> Daniel Kulp
>> [hidden email]
>> http://www.dankulp.com/blog
>>


Reply | Threaded
Open this post in threaded view
|

RE: AW: Send X509Certificate with request

Eamonn Dwyer
In reply to this post by Michael Szalay-2
Hi Michael,
(I guess this depends on the outcome of the thread started by Mary about whether TLS sends a client certificate or not, but if I'm correct and it does the following should be relevant).
Off the top of my head I can't think of any way to set it programmatically (I'll have a look now to see if I can see any way) but, in the meantime, is there a chance your use case allows you to simply configure the client certificate in spring config? For example

<http:conduit
        name="{http://me.com/greeter}TestPort.http-conduit"
        >
        <http:tlsClientParameters>
            <cxfsec:keyManagers keyPassword="password">
                <cxfsec:keyStore type="jks" resource="keys/claire.jks" password="password"/>
            </cxfsec:keyManagers>
            <cxfsec:trustManagers>
                <cxfsec:certStore resource="keys/trent-cert.pem"/>
            </cxfsec:trustManagers>
        </http:tlsClientParameters>

    </http:conduit>

In the above example your client would automatically send the certificate in Claire.jks to the server when the server is configured to require it. In particular it will send it to the TestPort. You can configure your client to send different certificates to different endpoints within the server.

Hope this helps
Eamonn

-----Original Message-----
From: Michael Szalay [mailto:[hidden email]]
Sent: 26 May 2009 10:48
To: [hidden email]
Subject: AW: AW: Send X509Certificate with request

Hi

yes, thats that I was looking for. Its just the tls authentication...

Is there a programmatic way to set that property you mentioned to a client to send a specific certificate?

Regards Michael


-----Ursprüngliche Nachricht-----
Von: Eamonn Dwyer [mailto:[hidden email]]
Gesendet: Dienstag, 26. Mai 2009 11:42
An: [hidden email]
Betreff: RE: AW: Send X509Certificate with request


Hi Michael
I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
<cxfsec:clientAuthentication want="true" required="true"/>

Regards,
Eamonn

-----Original Message-----
From: Mayank Mishra [mailto:[hidden email]]
Sent: 25 May 2009 12:51
To: [hidden email]
Subject: Re: AW: Send X509Certificate with request

Hi Michael,

I remember one way to send the public key certificate with your request from
client to server. There is a "DirectReference" KeyIdentifier for Signature
operation (make "signatureKeyIdentifier" property to "DirectReference").

If we use this your certificate is included as a BinarySecurityToken (BST)
in the message and a direct reference to this BST is used. But at the
receiving side (say on server) you have to manually tweak the code of WSS4J
to extract out the certificate yourself.

With Regards,
Mayank

On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:

> On Wed May 20 2009 9:32:34 am Tom wrote:
> > AFAIK you do not add a certificate to the request, the request only is
> > signed. Certificates are added to the keystores on each side, so the
> > signature can be created / verified.
>
> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
> token type, then the Security engine would output an RSAKeyValue key in the
> security header which WOULD be the full key.      That key can then be used
> to
> sign the message, encrypt, etc....   Not really "secure", but useful for an
> endorsing mechanism.
>
> On the receiving side, you WOULD need to write a callback handler to
> validate
> the key.   By default, WSS4J will reject the key as it won't know whether
> to
> trust it or not.
>
> Dan
>
> >
> > Tom
> >
> > Michael Szalay wrote:
> > > Thanks for the link. But the document describes the signing of the
> > > request, not adding a certificate to the http request for mutual
> > > authentication, right?
> > >
> > > Regards
> > >
> > > Michael
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Glen Mazza [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > > An: [hidden email]
> > > Betreff: Re: Send X509Certificate with request
> > >
> > >
> > >
> > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
> > >
> > > HTH,
> > > Glen
> > >
> > > mszalay wrote:
> > >> Hi all
> > >>
> > >> I have a question using Apache CXF as a client for a web service.
> > >> I would like to send a certificate within the request for mutual
> > >> authentication.
> > >>
> > >> How can I programmatically add a certificate to the request?
> > >> I looked for a method like TLSClientParameters.addCertificate but
> > >> I have not found somehing like that.
> > >>
> > >> Regards
> > >>
> > >> Michael
>
> --
> Daniel Kulp
> [hidden email]
> http://www.dankulp.com/blog
>

Reply | Threaded
Open this post in threaded view
|

RE: AW: Send X509Certificate with request

Eamonn Dwyer
Hi again
A quick check of the code and docs yielded the following that "may" work but I haven't checked it myself...

You can look at how to get access to your HTTPConduit object from
http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+(including+SSL+support)
then you can call

TLSClientParameters tlsCP = httpConduit.getTlsClientParameters();

KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
tlsCP.setKeyManagers(myKeyManagers);

...
KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword)
        throws GeneralSecurityException,
               IOException {
        // For tests, we just use the default algorithm
        String alg = KeyManagerFactory.getDefaultAlgorithm();
       
        char[] keyPass = keyPassword != null
                     ? keyPassword.toCharArray()
                     : null;
       
        // For tests, we just use the default provider.
        KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
                     
        fac.init(keyStore, keyPass);
       
        return fac.getKeyManagers();
    }

Hope this helps
Eamonn

-----Original Message-----
From: Eamonn Dwyer [mailto:[hidden email]]
Sent: 27 May 2009 10:22
To: [hidden email]
Subject: RE: AW: Send X509Certificate with request

Hi Michael,
(I guess this depends on the outcome of the thread started by Mary about whether TLS sends a client certificate or not, but if I'm correct and it does the following should be relevant).
Off the top of my head I can't think of any way to set it programmatically (I'll have a look now to see if I can see any way) but, in the meantime, is there a chance your use case allows you to simply configure the client certificate in spring config? For example

<http:conduit
        name="{http://me.com/greeter}TestPort.http-conduit"
        >
        <http:tlsClientParameters>
            <cxfsec:keyManagers keyPassword="password">
                <cxfsec:keyStore type="jks" resource="keys/claire.jks" password="password"/>
            </cxfsec:keyManagers>
            <cxfsec:trustManagers>
                <cxfsec:certStore resource="keys/trent-cert.pem"/>
            </cxfsec:trustManagers>
        </http:tlsClientParameters>

    </http:conduit>

In the above example your client would automatically send the certificate in Claire.jks to the server when the server is configured to require it. In particular it will send it to the TestPort. You can configure your client to send different certificates to different endpoints within the server.

Hope this helps
Eamonn

-----Original Message-----
From: Michael Szalay [mailto:[hidden email]]
Sent: 26 May 2009 10:48
To: [hidden email]
Subject: AW: AW: Send X509Certificate with request

Hi

yes, thats that I was looking for. Its just the tls authentication...

Is there a programmatic way to set that property you mentioned to a client to send a specific certificate?

Regards Michael


-----Ursprüngliche Nachricht-----
Von: Eamonn Dwyer [mailto:[hidden email]]
Gesendet: Dienstag, 26. Mai 2009 11:42
An: [hidden email]
Betreff: RE: AW: Send X509Certificate with request


Hi Michael
I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
<cxfsec:clientAuthentication want="true" required="true"/>

Regards,
Eamonn

-----Original Message-----
From: Mayank Mishra [mailto:[hidden email]]
Sent: 25 May 2009 12:51
To: [hidden email]
Subject: Re: AW: Send X509Certificate with request

Hi Michael,

I remember one way to send the public key certificate with your request from
client to server. There is a "DirectReference" KeyIdentifier for Signature
operation (make "signatureKeyIdentifier" property to "DirectReference").

If we use this your certificate is included as a BinarySecurityToken (BST)
in the message and a direct reference to this BST is used. But at the
receiving side (say on server) you have to manually tweak the code of WSS4J
to extract out the certificate yourself.

With Regards,
Mayank

On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:

> On Wed May 20 2009 9:32:34 am Tom wrote:
> > AFAIK you do not add a certificate to the request, the request only is
> > signed. Certificates are added to the keystores on each side, so the
> > signature can be created / verified.
>
> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
> token type, then the Security engine would output an RSAKeyValue key in the
> security header which WOULD be the full key.      That key can then be used
> to
> sign the message, encrypt, etc....   Not really "secure", but useful for an
> endorsing mechanism.
>
> On the receiving side, you WOULD need to write a callback handler to
> validate
> the key.   By default, WSS4J will reject the key as it won't know whether
> to
> trust it or not.
>
> Dan
>
> >
> > Tom
> >
> > Michael Szalay wrote:
> > > Thanks for the link. But the document describes the signing of the
> > > request, not adding a certificate to the http request for mutual
> > > authentication, right?
> > >
> > > Regards
> > >
> > > Michael
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Glen Mazza [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > > An: [hidden email]
> > > Betreff: Re: Send X509Certificate with request
> > >
> > >
> > >
> > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
> > >
> > > HTH,
> > > Glen
> > >
> > > mszalay wrote:
> > >> Hi all
> > >>
> > >> I have a question using Apache CXF as a client for a web service.
> > >> I would like to send a certificate within the request for mutual
> > >> authentication.
> > >>
> > >> How can I programmatically add a certificate to the request?
> > >> I looked for a method like TLSClientParameters.addCertificate but
> > >> I have not found somehing like that.
> > >>
> > >> Regards
> > >>
> > >> Michael
>
> --
> Daniel Kulp
> [hidden email]
> http://www.dankulp.com/blog
>

Reply | Threaded
Open this post in threaded view
|

AW: AW: Send X509Certificate with request

Michael Szalay-2
In reply to this post by Michael Szalay-2

Thanks, this is what I was looking for.

Regards Michael


-----Ursprüngliche Nachricht-----
Von: Eamonn Dwyer [mailto:[hidden email]]
Gesendet: Mittwoch, 27. Mai 2009 12:05
An: [hidden email]
Betreff: RE: AW: Send X509Certificate with request


Hi again
A quick check of the code and docs yielded the following that "may" work but I haven't checked it myself...

You can look at how to get access to your HTTPConduit object from
http://cwiki.apache.org/confluence/display/CXF20DOC/Client+HTTP+Transport+(including+SSL+support)
then you can call

TLSClientParameters tlsCP = httpConduit.getTlsClientParameters();

KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
tlsCP.setKeyManagers(myKeyManagers);

...
KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword)
        throws GeneralSecurityException,
               IOException {
        // For tests, we just use the default algorithm
        String alg = KeyManagerFactory.getDefaultAlgorithm();
       
        char[] keyPass = keyPassword != null
                     ? keyPassword.toCharArray()
                     : null;
       
        // For tests, we just use the default provider.
        KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
                     
        fac.init(keyStore, keyPass);
       
        return fac.getKeyManagers();
    }

Hope this helps
Eamonn

-----Original Message-----
From: Eamonn Dwyer [mailto:[hidden email]]
Sent: 27 May 2009 10:22
To: [hidden email]
Subject: RE: AW: Send X509Certificate with request

Hi Michael,
(I guess this depends on the outcome of the thread started by Mary about whether TLS sends a client certificate or not, but if I'm correct and it does the following should be relevant).
Off the top of my head I can't think of any way to set it programmatically (I'll have a look now to see if I can see any way) but, in the meantime, is there a chance your use case allows you to simply configure the client certificate in spring config? For example

<http:conduit
        name="{http://me.com/greeter}TestPort.http-conduit"
        >
        <http:tlsClientParameters>
            <cxfsec:keyManagers keyPassword="password">
                <cxfsec:keyStore type="jks" resource="keys/claire.jks" password="password"/>
            </cxfsec:keyManagers>
            <cxfsec:trustManagers>
                <cxfsec:certStore resource="keys/trent-cert.pem"/>
            </cxfsec:trustManagers>
        </http:tlsClientParameters>

    </http:conduit>

In the above example your client would automatically send the certificate in Claire.jks to the server when the server is configured to require it. In particular it will send it to the TestPort. You can configure your client to send different certificates to different endpoints within the server.

Hope this helps
Eamonn

-----Original Message-----
From: Michael Szalay [mailto:[hidden email]]
Sent: 26 May 2009 10:48
To: [hidden email]
Subject: AW: AW: Send X509Certificate with request

Hi

yes, thats that I was looking for. Its just the tls authentication...

Is there a programmatic way to set that property you mentioned to a client to send a specific certificate?

Regards Michael


-----Ursprüngliche Nachricht-----
Von: Eamonn Dwyer [mailto:[hidden email]]
Gesendet: Dienstag, 26. Mai 2009 11:42
An: [hidden email]
Betreff: RE: AW: Send X509Certificate with request


Hi Michael
I'm just getting back to your original question, - does the authentication have to be done "above" the transport or could you just let the TLS mutual authentication mechanism do the work for you?
For example just setting the following on endpoint's tlsServerParameter configuration would force the client to present a certificate to the service for authentication
<cxfsec:clientAuthentication want="true" required="true"/>

Regards,
Eamonn

-----Original Message-----
From: Mayank Mishra [mailto:[hidden email]]
Sent: 25 May 2009 12:51
To: [hidden email]
Subject: Re: AW: Send X509Certificate with request

Hi Michael,

I remember one way to send the public key certificate with your request from
client to server. There is a "DirectReference" KeyIdentifier for Signature
operation (make "signatureKeyIdentifier" property to "DirectReference").

If we use this your certificate is included as a BinarySecurityToken (BST)
in the message and a direct reference to this BST is used. But at the
receiving side (say on server) you have to manually tweak the code of WSS4J
to extract out the certificate yourself.

With Regards,
Mayank

On Wed, May 20, 2009 at 8:58 PM, Daniel Kulp <[hidden email]> wrote:

> On Wed May 20 2009 9:32:34 am Tom wrote:
> > AFAIK you do not add a certificate to the request, the request only is
> > signed. Certificates are added to the keystores on each side, so the
> > signature can be created / verified.
>
> Not ALWAYS true.   If the WS-SecurityPolicy specifies an KeyValueToken as a
> token type, then the Security engine would output an RSAKeyValue key in the
> security header which WOULD be the full key.      That key can then be used
> to
> sign the message, encrypt, etc....   Not really "secure", but useful for an
> endorsing mechanism.
>
> On the receiving side, you WOULD need to write a callback handler to
> validate
> the key.   By default, WSS4J will reject the key as it won't know whether
> to
> trust it or not.
>
> Dan
>
> >
> > Tom
> >
> > Michael Szalay wrote:
> > > Thanks for the link. But the document describes the signing of the
> > > request, not adding a certificate to the http request for mutual
> > > authentication, right?
> > >
> > > Regards
> > >
> > > Michael
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Glen Mazza [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 20. Mai 2009 15:19
> > > An: [hidden email]
> > > Betreff: Re: Send X509Certificate with request
> > >
> > >
> > >
> > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the?
> > >
> > > HTH,
> > > Glen
> > >
> > > mszalay wrote:
> > >> Hi all
> > >>
> > >> I have a question using Apache CXF as a client for a web service.
> > >> I would like to send a certificate within the request for mutual
> > >> authentication.
> > >>
> > >> How can I programmatically add a certificate to the request?
> > >> I looked for a method like TLSClientParameters.addCertificate but
> > >> I have not found somehing like that.
> > >>
> > >> Regards
> > >>
> > >> Michael
>
> --
> Daniel Kulp
> [hidden email]
> http://www.dankulp.com/blog
>