ws-fx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Kinard <akin...@cisco.com>
Subject Re: verifying signatures, useReqSigCert and keystores
Date Fri, 29 Jul 2005 14:27:58 GMT
Hello all,

I'm new to this list, but found this email in the archives.
Like Brian, I also have a need to ditch my keystore for the receiver.
I am willing to write a patch to implement the config parameter that  
Werner mentions below.
However, being new to this code, I could use some pointers on where  
to start.

Does anyone have any experience disabling certpath validation and  
using just the base64 cert token from DirectReference to validate a  
received message?

Regards,
Andrew Kinard
AK;-)



-------------------------------------------------------

Content-Type: text/plain;
     charset="iso-8859-1"
Subject: AW: verifying signatures, useReqSigCert and keystores
Date: Fri, 15 Jul 2005 08:37:36 +0200
From: Dittmann, Werner <werner.dittmann@siemens.com>

Brian,

IMO this is due to the certificate validation built into
the receiver and yes, it is enabled AFAIK.

Maybe we could thing of yet another config parameter
to switch this off and save the keystore at all.
Obviously, as you stated, this only works in particular
configurations.

Regards,
Werner

 > -----Urspr√ľngliche Nachricht-----
 > Von: Brian Nielsen [mailto:brian@sweetxml.org]
 > Gesendet: Donnerstag, 14. Juli 2005 23:13
 > An: fx-dev@ws.apache.org
 > Betreff: verifying signatures, useReqSigCert and keystores
 >
 >
 >
 > Since I'm not sure I got this right, I've chosen to write it
 > here instead of
 > creating a jira.
 >
 > When using "useReqSigCert" I thought I didn't need to have a
 > keystore for
 > the encryption since it should come from/be found in processing the
 > signature in the request. I've found out that if I don't provide a
 > "encryptionPropFile" I get an error, so I've tried a dummy one,  
and it
 > works. I'm not really sure if it's needed.
 >
 > When verifying a signature what should the keystore contain?
 > If the message
 > use DirectReference the certificate is in the message, and
 > the keystore
 > isn't needed, unless to do certificate path validation, but that  
isn't
 > enabled right?. Whereas if it's one of the other identifier
 > types the public
 > key is needed from the keystore, and possibly also the trusted root
 > certificate(s). So in this scenario the need for a keystore
 > for validation
 > depends on how the certificate is referenced.
 >
 > If this is true, there should not be a need for a keystore for the
 > encryption when using "useReqSigCert".
 >
 > During my experiments with WSE 2.0 interop I've found out
 > that WSE always
 > uses/wants DirectReference for signatures and SubjectKeyIdentifier  
for
 > encryption (shouldn't it be "SubjectKeyIdentifier" instead of
 > "SKIKeyIdentifier"). Given this subset of the wss-standard
 > it's more simple,
 > as to what is needed in the verification/"useReqSigCert"-encryption.
 >
 > Have I got this right, and should it be possible to leave out the
 > "signaturePropFile"/"encryptionPropFile" in this scenario?
 >
 >
 > Regards
 > Brian
 >
 >
 >
 >
 >
 >
 >
 >
 >



Mime
View raw message