Hi,
We're trying to use a SAMLToken w/ holder-of-key for authentication.
The service side is set up according to the appropriate test case.
<requestFlow>
<handler
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="action" value="Timestamp Signature
SAMLTokenUnsigned"/>
<parameter name="signaturePropFile"
value="servercrypto.properties" />
</handler>
</requestFlow>
servercrypto.properties:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.provider=BC
org.apache.ws.security.crypto.merlin.keystore.password=xxxx
org.apache.ws.security.crypto.merlin.file=gensvr.keystore
Wss4j is able to find the properties, appropriate keystore, and alias in
that keystore for the certificate issuer, but is unable to verify the
cert path between client and issuer.
AxisFault
faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: WSDoAllReceiver: Certificate path verification failed for
certificate with subject OU=client, OU=umiacs; nested exception is:
org.apache.ws.security.WSSecurityException: General security
error (Error during certificate path validation: signature check
failed); nested exception is:
java.security.cert.CertPathValidatorException: signature check
failed
Tracking this down, it appears that the SUN provider that is used by
default isn't happy when you use bouncycastle to handle keystore
activity. Changing 'CertPathValidator.getInstance' in Merlin.java to use
the same provider as the keystore appears to fix this. Am I missing
something, or is this a bug?
-Mike
