Guy, to verify a Signature you need the "real" certificate, not only the CA certificate. The CA certificte only proves that the "real" certifcate is ok. If you want avoid to have the real certificate (the one used to sign) in the keystore you could use the DirectReference option.
In that case the cretificate is transfered inside the request to the server (coded in base64). Regards, Werner PS. The WSDoAllReceiver conains certificate Path validation. This is implemented in a way that us must have all certificates in the keystroe, even if you send it via DirectReference. This is an open issue we will address in the next time. Werner > -----Ursprüngliche Nachricht----- > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 9. August 2005 13:25 > An: [email protected] > Betreff: Signature-verification problem in WSS4J > > > Hi, > > I have a problem with WSS4J 1.0.0. I'm trying to use > WSDoAllReceiver to sign a > message and WSDOAllSender to versify the signature. It works > if I give the > server a keystore that contains the senders entire > certificate chain. It fails > if I give the server a keystore containing just the > certificate for the > sender's CA. > > Looking in WSSecurityEngine, and truning on the debug log, it > seems that the WSS4J library-code is trying to get the CA > certificate by first > finding the user's personal certificate (by serial number) > _in the server's > keystore_. It's calling > > getAliasForX509Cert(String issuer, BigInteger serialNumber, true) > > on Merlin. This can't work when the server only has the CA > certificate. > > Maybe I've got it wrongly configured (again). Is there some > setting I need to > make s.t. the server trusts all certificates from a given CA? > > Cheers, > Guy > > Guy Rixon [EMAIL PROTECTED] > Institute of Astronomy Tel: +44-1223-337542 > Madingley Road, Cambridge, UK, CB3 0HA Fax: > +44-1223-337523 >
