cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Re: CXF WSS4J signature validation problem.
Date Thu, 20 Dec 2012 17:39:07 GMT
I am operating in an environment where I communicate with web services to a
group of organization with certs signed by a common CA. This set of
organizations is mutable, and I don't want to manage my truststore everytime
a new organization joins. However, per my understanding of the
specifications when sending a signature it is allowable to only send the
modulus/exponent of the public key. When I receive this message, the public
key is not enough information to verify whether or not that public key was
issued by the CA that I trust. 

I would like to write a custom validator which ensures the crypto aspect of
this public key and the signature but stops short of trying to establish the
trust of the public key. Is there a good resource or tutorial for how I
could swap in a custom validator? 

I am not in love with this solution, however in my scenario the signature is
backed by two-way SSL at the transport level, so I am ok with overlooking
the trust of the public key at the signature level. 

Thank you!

View this message in context:
Sent from the cxf-dev mailing list archive at

View raw message