Generate X509Certificate for JAX WS 2.0
Hi,
I tried the sample from jwsdp-2.0/xws-security/samples/jaxws2.0/simple-doclit and the updated keystore files from https://xwss.dev.java.net/.
The sample works fine. But if I try my own certificates I get the exception "No X509Certificate was provided".
So I think my certificates are not correct.
I used the following script:
..
echo Client
keytool -genkey -alias %CLIENT_ALIAS% -keyalg RSA -dname %CLIENT_DNAME% -validity %DAYS_VALID% -keypass %CLIENT_PW% -keystore %CLIENT_KEYSTORE% -storepass %CLIENT_PW% -storetype JKS
keytool -export -alias %CLIENT_ALIAS% -keyalg RSA -file %CLIENT_CERTFILE% -keystore %CLIENT_KEYSTORE% -storepass %CLIENT_PW%
keytool -import -noprompt -alias %CLIENT_ALIAS% -file %CLIENT_CERTFILE% -keystore %SERVER_TRUSTSTORE% -storepass %SERVER_PW% -storetype JKS
del %CLIENT_CERTFILE%
echo Server
keytool -genkey -alias %SERVER_ALIAS% -keyalg RSA -dname %SERVER_DNAME% -validity %DAYS_VALID% -keypass %SERVER_PW% -keystore %SERVER_KEYSTORE% -storepass %SERVER_PW% -storetype JKS
keytool -export -alias %SERVER_ALIAS% -keyalg RSA -file %SERVER_CERTFILE% -keystore %SERVER_KEYSTORE% -storepass %SERVER_PW%
keytool -import -noprompt -alias %SERVER_ALIAS% -file %SERVER_CERTFILE% -keystore %CLIENT_TRUSTSTORE% -storepass %CLIENT_PW% -storetype JKS
del %SERVER_CERTFILE%/
I discovered that I have only a V1 certificate while the Sun sample is V 3 (keytool can't generate v3) but this should not the problem?
How has Sun created the sample keystore files?
Any help would be very appreciated.
I found http://forums.java.net/jive/thread.jspa?threadID=16294&tstart=0 but this topic doesn't solve my problem. Additional I don't want to use WSIT. The code is OK, only my certificate is not suitable. How can I create valid keystore files?
Regards
Rocci
Full Exception:
05.07.2006 23:23:33 com.sun.xml.wss.impl.filter.SignatureFilter process
SCHWERWIEGEND: WSS1417: Error while processing signature No X509Certificate was provided
javax.xml.ws.WebServiceException: java.lang.RuntimeException: javax.xml.ws.WebServiceException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
at com.sun.xml.ws.protocol.soap.client.SOAPMessageDispatcher.doSend(SOAPMessageDispatcher.java:296)
at com.sun.xml.ws.protocol.soap.client.SOAPMessageDispatcher.send(SOAPMessageDispatcher.java:153)
at com.sun.xml.ws.encoding.soap.internal.DelegateBase.send(DelegateBase.java:85)
at com.sun.xml.ws.client.EndpointIFInvocationHandler.implementSEIMethod(EndpointIFInvocationHandler.java:176)
at com.sun.xml.ws.client.EndpointIFInvocationHandler.invoke(EndpointIFInvocationHandler.java:105)
at $Proxy22.ping(Unknown Source)
at simple.client.PingServiceClient.main(PingServiceClient.java:41)
Caused by: java.lang.RuntimeException: javax.xml.ws.WebServiceException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
at com.sun.xml.xwss.SystemHandlerDelegateImpl.processRequest(SystemHandlerDelegateImpl.java:255)
at com.sun.xml.ws.protocol.soap.client.SOAPMessageDispatcher.doSend(SOAPMessageDispatcher.java:255)
... 6 more
Caused by: javax.xml.ws.WebServiceException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
at com.sun.xml.xwss.SystemHandlerDelegateImpl.secureRequest(SystemHandlerDelegateImpl.java:474)
at com.sun.xml.xwss.SystemHandlerDelegateImpl.processRequest(SystemHandlerDelegateImpl.java:249)
... 7 more
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:221)
at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:64)
at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:218)
at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:143)
at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:118)
at com.sun.xml.xwss.SystemHandlerDelegateImpl.secureRequest(SystemHandlerDelegateImpl.java:467)
... 8 more
Caused by: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:152)
... 13 more
Caught Exception: java.lang.RuntimeException: javax.xml.ws.WebServiceException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: No X509Certificate was provided
[4812 byte] By [
Rocci2a] at [2007-10-2 23:57:31]
Sorry for the late reply....
Not sure if it is still relevant, here are the steps to create V3 certs if you are using some opensource tool like openssl.
STEPS for generating 4 keystores :
1. Create your certificate authority as:
/usr/share/ssl/misc/CA -newca
Take all the defaults except in the cases that are highlighted in bold as shown below:
Enter PEM pass phrase: myca
Verifying password - Enter PEM pass phrase: myca
...
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:My SAMPLE
Common Name (eg, your name or your server's hostname) []:MyHost?
Email Address []:
2.Create a certificate signing request as:
/usr/share/ssl/misc/CA -newreq
Take all the defaults except in the cases that are highlighted in bold as shown below:
Enter PEM pass phrase: changeit
Verifying password: Enter PEM pass phrase: changeit
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []: MY ORG
Common Name (eg, your name or your server's hostname) []: MYNAME
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:MyCert?
An optional company name []:MYCOMPANY
Request (and private key) is in newreq.pem
4. Sign the certificate by certificate authority as:
/usr/share/ssl/misc/CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:myca
...
Sign the certificate? [y/n]:y
1 out 1 certificate requests certified, commit? [y/n]:y
.............
Signed certificate is in newcert.pem
5. The certificate is generated in newcert.pem. Remove the ASCII representation of the certificate before the delimiters (
BEGIN CERTIFICATE and END CERTIFICATE ). Only keep the delimiters and the encoded certificate.
6.Convert the private key from PEM to DER format as:
openssl pkcs8 -nocrypt -in newreq.pem -inform PEM -topk8 -outform DER -out server-key.der
Enter PEM pass phrase: changeit
7. Convert the certificate also to DER format
openssl x509 -outform DER -in newcert.pem -out server-cert.der
8. So you now have server-key.der containing the server's private key and server-cert.der containing the server's certificate.
9. Repeat the above steps (steps 2 till step 7) to create the corresponding client-key.der and client-cert.der
10. Convert the cacert also into der format.
openssl x509 -outform DER -in demoCA/cacert.pem -out cacert.der
11. Use the attached Program (KeystoreGenerator.java) to actually create the 4 keystores (client-keystore.jks, client-truststore.jks, server-keystore.jks and server-truststore.jks)
NOTE: You can make necessary changes to the attached sample to modify the alias names for you Keystore entries.
The default lifetime of the certificates generated by openssl is 365 days. You can change it to a larger or smaller value by editing /usr/local/ssl/openssl.cnf . Change the property "default_days" to the correct value. For example if you need certs with 10 year validity do the following :
default_days = 3650
-KeystoreGenerator.java
/*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the "License"). You may not use this file except
* in compliance with the License.
*
* You can obtain a copy of the license at
* https://jwsdp.dev.java.net/CDDLv1.0.html
* See the License for the specific language governing
* permissions and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* HEADER in each file and include the License file at
* https://jwsdp.dev.java.net/CDDLv1.0.html If applicable,
* add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your
* own identifying information: Portions Copyright [yyyy]
* [name of copyright owner]
*/
import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.security.spec.*;
public class KeystoreGenerator {
/**
* should be in "DER" format.
*/
public static X509Certificate readX509Cert(String fileLocation)
throws Exception {
FileInputStream fis = new FileInputStream(fileLocation);
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = null;
while (bis.available() > 0) {
cert = (X509Certificate) cf.generateCertificate(bis);
}
return cert;
}
/**
* Private key should be in "DER" format.
*/
public static PrivateKey readPrivateKey(String fileLocation)
throws Exception {
FileInputStream fis = new FileInputStream(fileLocation);
byte input[] = new byte[fis.available()];
fis.read(input, 0, input.length);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(input);
KeyFactory key_fac = KeyFactory.getInstance("RSA");
return key_fac.generatePrivate(spec);
}
/**
* Generate a keystore with a single cert-privKey pair.
*/
public static void generateAndSaveKeyStore(
X509Certificate cert,
PrivateKey key,
String keystorePassword,
String alias,
String keyPassword,
String keystoreLocation)
throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, keystorePassword.toCharArray());
X509Certificate[] chain = new X509Certificate[1];
chain[0] = cert;
ks.setKeyEntry(alias, key, keyPassword.toCharArray(), chain);
ks.store(
new FileOutputStream(keystoreLocation),
keystorePassword.toCharArray());
}
public static void generateAndSaveTrustStore(
X509Certificate cacert,
X509Certificate otherparty,
String keystorePassword,
String alias,
String keystoreLocation)
throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, keystorePassword.toCharArray());
ks.setCertificateEntry("certificate-authority", cacert);
ks.setCertificateEntry(alias, otherparty);
ks.store(
new FileOutputStream(keystoreLocation),
keystorePassword.toCharArray());
}
public static void main(String[] args) throws Exception {
X509Certificate cert = readX509Cert("./client-cert.der");
X509Certificate cacert = readX509Cert("./cacert.der");
X509Certificate serverCert = readX509Cert("./server-cert.der");
generateAndSaveTrustStore(cacert, cert, "changeit", "xws-security-client", "./server-truststore.jks");
generateAndSaveTrustStore(cacert, serverCert, "changeit", "s1as", "./client-truststore.jks");
PrivateKey serverPk = readPrivateKey("./server-key.der");
PrivateKey clientPk = readPrivateKey("./client-key.der");
generateAndSaveKeyStore(serverCert, serverPk, "changeit", "s1as", "changeit", "./server-keystore.jks");
generateAndSaveKeyStore(cert, clientPk, "changeit", "xws-security-client", "changeit", "./client-keystore.jks");
}
}
--
