Re: Why Crypto is needed at the server side when a Signature needs to be verified ?

[Werner Dittmann]

Hi,
if you do signing as you describe then you usually do not neet the clients
keystore on the server. However, if you would like to validate the client's
certificate (i.e. the client's public key) then you need the root 
certificate
of the issuer (a certificate authority, CA) of the client's certificate.
Usually the issuer's  root certificate is stored in the server's 
keystore. This
is the reason you need a crypto parameter at the server as well.

Regards,
Werner
Sathish Kumar schrieb:
Hi,
 
I have a soap message signed at the client side using the client's 
private key. Client's public key is passed over the wire to the server.
This certificate is available in the BinarySecurityToken element and 
contains a reference in SecurityTokenReference of KeyInfo 
element.(Please see attached file)
 
What is the purpose of providing a crypto file to the 
*WSSecurityEngine.getCertificatesTokenReference(element, crypto)* 
method? What certificates does the crypto file have?  Does this mean 
we should upload Client's keystore(contains public key) at the server 
side? If Yes, what is the purpose of the public key thats comes in the 
wire? Interop1-draft-06 states that signature should be verified using 
the public key passed on wire.

Regards,
Sathish Kumar T.K.
------------------------------------------------------------------------
     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; 			soapenv:mustUnderstand="1">
        <wsse:BinarySecurityToken 				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 				EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; 		ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; 				wsu:Id="CertId-9310158"> 
			cert goes here...
	</wsse:BinarySecurityToken>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
           <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; 
				PrefixList="soapenv xsd xsi"></ec:InclusiveNamespaces>
              </ds:CanonicalizationMethod>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
              <ds:Reference URI="#id-30308427">
                 <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
                       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; 
				PrefixList="xsd xsi"></ec:InclusiveNamespaces>
                    </ds:Transform>
                 </ds:Transforms>
                 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
                 <ds:DigestValue>UQLNiUqLVV5qA5ljMCFncAbBM+8=</ds:DigestValue>
              </ds:Reference>
           </ds:SignedInfo>
	    <ds:SignatureValue>signature goes here....</ds:SignatureValue>
           <ds:KeyInfo Id="KeyId-24392121">
              <wsse:SecurityTokenReference 					xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; 					wsu:Id="STRId-23894119">
                 <wsse:Reference URI="#CertId-9310158"></wsse:Reference>
              </wsse:SecurityTokenReference>
           </ds:KeyInfo>
        </ds:Signature>

     </wsse:Security>