Webservice Security and Windows Certificates

Question

I want to sign webservice requests using Apache CXF and WSS4J. As far as I know, I would need a JKS store containing the certificate I want to use for signing. There's the requirement to be able to use a X.509 certificate from the Windows certificate store. The certificate shall be read from the store at the time of signing the webservice request. I know how to access the store and get the certificate. But how can I use it for signing instead of the certificate from my own JKS store?

Answer 1

Just found it's possible to achieve using MerlinDevice class. That's how its done:

1) Configuring properties for WSS4JOutInterceptor:

Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, "Friendly_name_of_your_certificate");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, StupidCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client_sign.properties");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);

2) The client_sign.properties file looks like this:

org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.MerlinDevice
keystore.provider=SunMSCAPI
cert.provider=SunMSCAPI
keystore.type=Windows-MY
truststore.type=Windows-ROOT

3) And StupidCallback just returns constant string as a password (its value doesn't really matter):

public class StupidCallback implements CallbackHandler
{
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
    {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        pc.setPassword("password");
    }
}

That's all.

Answer 2

The KeyStore need not be a JKS one. You might write your own JCA Provider and implement KeyStoreSpi, and have it access the Windows certificate store.

Answer 3

Look at this that explains how to use the windows keystore. Then you have to configure CXF to use that keystore.