### Import CA and Client Certificates into Client Keystore Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Import the CA certificate and the newly signed client certificate into the client's Java keystore. ```bash keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40.jks keytool -import -file wss40.crt -alias wss40 -keystore wss40.jks ``` -------------------------------- ### Import Certificate into Keystore Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Imports a certificate into a Java keystore. Ensure the certificate file and keystore are accessible. ```bash keytool -import -file wss40rev.crt -alias wss40rev -keystore wss40rev.jks ``` -------------------------------- ### Import CA and Server Certificates into Server Keystore Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Import the CA certificate and the signed server certificate into the server's Java keystore. ```bash keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40_server.jks keytool -import -file wss40_server.crt -alias wss40_server -keystore wss40_server.jks ``` -------------------------------- ### Generate Expiring Client Certificate and Keystore Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Creates a client keypair and certificate that expires in 1 day, along with the necessary CSR and signing process. ```bash keytool -genkey -validity 1 -alias wss40exp -keyalg RSA -keystore wss40exp.jks -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40exp -keystore wss40exp.jks -file wss40exp.cer openssl ca -config ca.config -policy policy_anything -days 1 -out wss40exp.pem -infiles wss40exp.cer openssl x509 -outform DER -in wss40exp.pem -out wss40exp.crt keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40exp.jks keytool -import -file wss40exp.crt -alias wss40exp -keystore wss40exp.jks ``` -------------------------------- ### Generate Client Certificate for Revocation Testing Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Creates a client keypair, CSR, and signed certificate intended for testing certificate revocation scenarios. ```bash keytool -genkey -validity 3650 -alias wss40rev -keyalg RSA -keystore wss40rev.jks -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40rev -keystore wss40rev.jks -file wss40rev.cer openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40rev.pem -infiles wss40rev.cer openssl x509 -outform DER -in wss40rev.pem -out wss40rev.crt keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40rev.jks ``` -------------------------------- ### Generate Client Keypair, CSR, and Signed Certificate Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Steps to generate a client's RSA keypair, create a CSR, sign it with the CA, and convert the signed certificate to DER format. ```bash keytool -genkey -validity 3650 -alias wss40 -keyalg RSA -keystore wss40.jks -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40 -keystore wss40.jks -file wss40.cer openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40.pem -infiles wss40.cer openssl x509 -outform DER -in wss40.pem -out wss40.crt ``` -------------------------------- ### Using Switch for Event Handling in Java Source: https://github.com/apache/ws-wss4j/blob/master/Performance-Tips.txt This pattern is recommended for handling different XML event types efficiently. Ensure all relevant cases are covered. ```java switch(XMLEvent.getEventType()) { case XMLStreamConstants.START_ELEMENT: //do something with the start element break; case XMLStreamConstants.END_ELEMENT: //do something with the end element break; } ``` -------------------------------- ### Generate Client DSA Keypair, CSR, and Signed Certificate Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Commands to generate a client's DSA keypair, create a CSR, sign it with the CA, and import the signed certificate into the keystore. ```bash keytool -genkey -validity 3650 -alias wss40DSA -keyalg DSA -keysize 1024 -keystore wss40.jks -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40DSA -keystore wss40.jks -file wss40.cer openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40.pem -infiles wss40.cer openssl x509 -outform DER -in wss40.pem -out wss40.crt keytool -import -file wss40.crt -alias wss40DSA -keystore wss40.jks ``` -------------------------------- ### Create Duplicate CA Keystore and New Keypair Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Copies an existing CA keystore and generates a new keypair within it, useful for testing scenarios involving duplicate CA truststores. ```bash cp wss40CA.jks wss40CADupl.jks keytool -genkey -validity 3650 -alias wss40dupl -keyalg RSA -keystore wss40CADupl.jks -dname "CN=Werner, OU=Apache WSS4J, O=Home, L=Munich, ST=Bayern, C=DE" ``` -------------------------------- ### Generate CA Certificate and Keystore Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Commands to create a self-signed CA certificate and import it into a Java keystore. This CA will be used to sign other certificates. ```bash openssl req -x509 -newkey rsa:2048 -keyout wss40CAKey.pem -out wss40CA.pem -config ca.config -days 3650 openssl x509 -outform DER -in wss40CA.pem -out wss40CA.crt keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40CA.jks ``` -------------------------------- ### Using Version Bean for SAML Version in WSS4J 2.1 Source: https://github.com/apache/ws-wss4j/blob/master/src/site/asciidoc/wss4j21.adoc Demonstrates how to specify the SAML version using the Version bean in WSS4J 2.1, an alternative to the previous SAMLVersion dependency. This is relevant when migrating from OpenSAML 2.x to 3.x. ```java import org.apache.wss4j.common.saml.bean.Version; import org.apache.wss4j.common.saml.SAMLCallback; // ... SAMLCallback callback = new SAMLCallback(); callback.setSamlVersion(Version.SAML_20); // ... ``` -------------------------------- ### WSS4J Crypto Properties for Signature Creation Source: https://github.com/apache/ws-wss4j/blob/master/src/site/asciidoc/topics.adoc This properties file configures the Crypto implementation for signature creation. It specifies the provider, keystore type, password, default alias, and keystore file location. ```properties org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin org.apache.wss4j.crypto.merlin.keystore.type=jks org.apache.wss4j.crypto.merlin.keystore.password=security org.apache.wss4j.crypto.merlin.keystore.alias=wss40 org.apache.wss4j.crypto.merlin.keystore.file=keys/wss40.jks ``` -------------------------------- ### Maven Dependencies for OpenSAML Source: https://github.com/apache/ws-wss4j/blob/master/src/site/asciidoc/topics.adoc Introduced dependencies for WSS4J via OpenSAML, with judicious POM exclusions and modifications to avoid loading velocity. ```xml +- org.opensaml:opensaml:jar:2.4.1:compile | \- org.opensaml:openws:jar:1.4.1:compile | \- org.opensaml:xmltooling:jar:1.3.1:compile | +- org.slf4j:slf4j-api:jar:1.6.1:compile | \- joda-time:joda-time:jar:1.6.2:compile ``` -------------------------------- ### Generate Server Keypair, CSR, and Signed Certificate Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Process for generating a server's RSA keypair, creating a CSR, signing it with the CA, and converting the signed certificate to DER format. ```bash keytool -genkey -validity 3650 -alias wss40_server -keyalg RSA -keystore wss40_server.jks -dname "CN=Server,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40_server -keystore wss40_server.jks -file wss40_server.cer openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40_server.pem -infiles wss40_server.cer openssl x509 -outform DER -in wss40_server.pem -out wss40_server.crt ``` -------------------------------- ### Generate Ed448 Key Pair Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Generates an Ed448 key pair and stores it in a PKCS12 keystore. Requires JDK 16 or later. The key is used for signing. ```bash keytool -genkeypair -keystore wss-eddsa.p12 -alias ed448 -keyalg ED448 -sigalg ED448 \ -storepass security -keypass security \ -dname "CN=ed448,OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \ -validity 3650 ``` -------------------------------- ### Generate 1024-bit RSA Certificate Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Commands to generate a 1024-bit RSA keypair, create a CSR, sign it with the CA, and import the signed certificate into a keystore. ```bash keytool -genkey -validity 3650 -alias wss40 -keyalg RSA -keysize 1024 -keystore rsa1024.jks -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40 -keystore rsa1024.jks -file rsa1024.cer openssl ca -config ca.config -policy policy_anything -days 3650 -out rsa1024.pem -infiles rsa1024.cer openssl x509 -outform DER -in rsa1024.pem -out rsa1024.crt keytool -import -file wss40CA.crt -alias wss40CA -keystore rsa1024.jks keytool -import -file rsa1024.crt -alias wss40 -keystore rsa1024.jks ``` -------------------------------- ### Generate X448 Key Pair for ECDH Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Generates an X448 key pair for ECDH and signs it with a specified issuer CA. Requires JDK 17 or later. The keystore and key passwords are set to 'security'. ```bash keytool -genkeypair -keystore wss-ecdh.p12 -alias x448 -keyalg X448 \ -sigalg ED25519 -signer issuer-ca -signerkeypass security \ -storepass security -keypass security \ -dname "CN=x448, OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \ -validity 3650 ``` -------------------------------- ### Generate Certificate Revocation List (CRL) Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Creates a Certificate Revocation List (CRL) using OpenSSL. This process requires CA private key and certificate files, along with a configuration file. ```bash openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out wss40CACRL.pem -config ca.config -crldays 3650 ``` -------------------------------- ### Create Short-Lived CA and Signed Certificate Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Generates a CA certificate that expires shortly, then uses it to sign a client certificate. This is useful for testing CA expiration scenarios. ```bash openssl req -x509 -newkey rsa:2048 -keyout wss40CAKey.pem -out wss40CA.pem -config ca.config -days 1 openssl x509 -outform DER -in wss40CA.pem -out wss40CA.crt keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40CA.jks keytool -genkey -validity 3650 -alias wss40expca -keyalg RSA -keystore wss40expca.jks -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE" keytool -certreq -alias wss40expca -keystore wss40expca.jks -file wss40expca.cer openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40expca.pem -infiles wss40expca.cer openssl x509 -outform DER -in wss40expca.pem -out wss40expca.crt keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40expca.jks keytool -import -file wss40expca.crt -alias wss40expca -keystore wss40expca.jks mv wss40CA.jks wss40badcatrust.jks mv wss40expca.jks wss40badca.jks ``` -------------------------------- ### Generate Ed25519 Key Pair Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Generates an Ed25519 key pair and stores it in a PKCS12 keystore. Requires JDK 16 or later. The key is used for signing. ```bash keytool -genkeypair -keystore wss-eddsa.p12 -alias ed25519 -keyalg ED25519 -sigalg ED25519 \ -storepass security -keypass security \ -dname "CN=ed25519,OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \ -validity 3650 ``` -------------------------------- ### Generate secp384r1 EC Key Pair for ECDH Source: https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/test/resources/keys/README.txt Generates a secp384r1 Elliptic Curve key pair for ECDH and signs it with a specified issuer CA. Requires JDK 17 or later. The keystore and key passwords are set to 'security'. ```bash keytool -genkeypair -keystore wss-ecdh.p12 -alias secp384r1 -keyalg EC -groupname secp384r1 \ -sigalg ED25519 -signer issuer-ca -signerkeypass security \ -storepass security -keypass security \ -dname "CN=secp384r1, OU=eDeliveryAS4-2.0,OU=wss4j,O=apache,C=EU" \ -validity 3650 ```