cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mw4forums@gmail.com" <mw4for...@gmail.com>
Subject Re: CXF WSS4J signature validation problem.
Date Thu, 20 Dec 2012 17:34:33 GMT
I am operating in an environment where I communicate with web services to a
group of organization with certs signed by a common CA. This set of
organizations is mutable, and I don't want to manage my truststore everytime
a new organization joins. However, per my understanding of the
specifications when sending a signature it is allowable to only send the
modulus/exponent of the public key. When I receive this message, the public
key is not enough information to verify whether or not that public key was
issued by the CA that I trust. 

I would like to write a custom validator which ensures the crypto aspect of
this public key and the signature but stops short of trying to establish the
trust of the public key. Is there a good resource or tutorial for how I
could swap in a custom validator?

I am not in love with this solution, however in my scenario the signature is
backed by two-way SSL at the transport level, so I am ok with overlooking
the trust of the public key at the signature level. 

Thank you!



--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-signature-validation-problem-tp5719033p5720594.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Mime
View raw message