I've found out how to select this option by reading the code. Like a lot of things in WSS4J it's simple when you know how but the lack of documentation makes the learning process very slow. I've taken the liberty of writing a page of documentation -- appended -- for this issue.
Cheers, Guy <?xml version="1.0" encoding="ISO-8859-1"?> <document> <properties> <author email="[EMAIL PROTECTED]">Guy Rixon</author> <title>Including the sender's certificate in the signed message</title> </properties> <body> <section name="Including the sender's certificate in the signed message"> <p> When messages are digitally signed, the recipient must have the sender's certificate chain in order to check the signature. Typically, the chain has two certificates: that of the sender and that of the sender's certificate authority (CA). </p> <p> There are two common ways of getting the certificates to the service. </p> <ol> <li> Install the CA's certificate in the service configuration. Send the caller's individual certificate with the signed message. This is called "direct reference", since the signature mark-up in the SOAP header refers directly to an included credential. </li> <li> Install both the CA certificate and the caller's individual certificate in the service configuration. Send the CA's name and the serial number of the caller's certificate in the SOAP message; have the service retrieve its copy of the certificate using these metadata. This is called the "issuer-serial" method. </li> </ol> <p> The issuer-serial method presumes that all trusted users of the service are known to the service and have pre-registered their certificate chains before using the service. The direct-reference method presumes that the service operator trusts all users with certificates issued by a trusted CA. </p> <p> To use the direct-reference method when using WSDoAllSender to sign the messages, the client must set a handler property as follows. </p> <pre> stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); </pre> <p> To use the issuer-serial method, the property should be set like this: </p> <pre> stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial"); </pre> <p> If the property is not set, the default is to use the issuer-serial method. </p> </section> </body> </document> On Tue, 9 Aug 2005, Guy Rixon wrote: > Thanks, I see now why it was doing that. I thought I _was_ sending the > certificate in the message. > > How do I activate the DirectReference option? It doesn't seem to be mentioned > in the deployment examples. > > On Tue, 9 Aug 2005, Dittmann, Werner wrote: > > > Guy, > > > > to verify a Signature you need the "real" certificate, not > > only the CA certificate. The CA certificte only proves that > > the "real" certifcate is ok. If you want avoid to have the > > real certificate (the one used to sign) in the keystore > > you could use the DirectReference option. > > > > In that case the cretificate is transfered inside the request > > to the server (coded in base64). > > > > Regards, > > Werner > > > > PS. The WSDoAllReceiver conains certificate Path validation. > > This is implemented in a way that us must have all certificates in > > the keystroe, even if you send it via DirectReference. This > > is an open issue we will address in the next time. > > > > Werner > > > > > -----Urspr?ngliche Nachricht----- > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > Gesendet: Dienstag, 9. August 2005 13:25 > > > An: [email protected] > > > Betreff: Signature-verification problem in WSS4J > > > > > > > > > Hi, > > > > > > I have a problem with WSS4J 1.0.0. I'm trying to use > > > WSDoAllReceiver to sign a > > > message and WSDOAllSender to versify the signature. It works > > > if I give the > > > server a keystore that contains the senders entire > > > certificate chain. It fails > > > if I give the server a keystore containing just the > > > certificate for the > > > sender's CA. > > > > > > Looking in WSSecurityEngine, and truning on the debug log, it > > > seems that the WSS4J library-code is trying to get the CA > > > certificate by first > > > finding the user's personal certificate (by serial number) > > > _in the server's > > > keystore_. It's calling > > > > > > getAliasForX509Cert(String issuer, BigInteger serialNumber, true) > > > > > > on Merlin. This can't work when the server only has the CA > > > certificate. > > > > > > Maybe I've got it wrongly configured (again). Is there some > > > setting I need to > > > make s.t. the server trusts all certificates from a given CA? > > > > > > Cheers, > > > Guy > > > > > > Guy Rixon [EMAIL PROTECTED] > > > Institute of Astronomy Tel: +44-1223-337542 > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > +44-1223-337523 > > > > > > > Guy Rixon [EMAIL PROTECTED] > Institute of Astronomy Tel: +44-1223-337542 > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 > Guy Rixon [EMAIL PROTECTED] Institute of Astronomy Tel: +44-1223-337542 Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
