Mike, you may be right. I can remeber (its some time ago) when the path verification was implemented we had a similar problem. Maybe the person who implemented it firsthand can shed some light on it?
Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Mike [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 5. Juli 2005 23:01 > An: [email protected] > Betreff: Signature verification > > > > Hi, > We're trying to use a SAMLToken w/ holder-of-key for > authentication. > The service side is set up according to the appropriate test case. > > <requestFlow> > <handler > type="java:org.apache.ws.axis.security.WSDoAllReceiver"> > <parameter name="action" value="Timestamp Signature > SAMLTokenUnsigned"/> > <parameter name="signaturePropFile" > value="servercrypto.properties" /> > </handler> > </requestFlow> > > servercrypto.properties: > > org.apache.ws.security.crypto.provider=org.apache.ws.security. > components.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 > org.apache.ws.security.crypto.merlin.keystore.provider=BC > org.apache.ws.security.crypto.merlin.keystore.password=xxxx > org.apache.ws.security.crypto.merlin.file=gensvr.keystore > > Wss4j is able to find the properties, appropriate keystore, > and alias in > that keystore for the certificate issuer, but is unable to verify the > cert path between client and issuer. > > AxisFault > faultCode: > {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException > faultSubcode: > faultString: WSDoAllReceiver: Certificate path verification > failed for > certificate with subject OU=client, OU=umiacs; nested exception is: > org.apache.ws.security.WSSecurityException: General security > error (Error during certificate path validation: signature check > failed); nested exception is: > java.security.cert.CertPathValidatorException: > signature check > failed > > Tracking this down, it appears that the SUN provider that is used by > default isn't happy when you use bouncycastle to handle keystore > activity. Changing 'CertPathValidator.getInstance' in > Merlin.java to use > the same provider as the keystore appears to fix this. Am I missing > something, or is this a bug? > > -Mike >
