Guy, could you please add this to JIRA?
thanks, -- dims On 8/9/05, Guy Rixon <[EMAIL PROTECTED]> wrote: > I've found out how to select this option by reading the code. Like a lot of > things in WSS4J it's simple when you know how but the lack of documentation > makes the learning process very slow. I've taken the liberty of writing a page > of documentation -- appended -- for this issue. > > Cheers, > Guy > > <?xml version="1.0" encoding="ISO-8859-1"?> > <document> > > <properties> > <author email="[EMAIL PROTECTED]">Guy Rixon</author> > <title>Including the sender's certificate in the signed message</title> > </properties> > > <body> > <section name="Including the sender's certificate in the signed message"> > > <p> > When messages are digitally signed, the > recipient must have the sender's > certificate chain in order to check the > signature. Typically, the chain has > two certificates: that of the sender and that > of the sender's certificate authority (CA). > </p> > > <p> > There are two common ways of getting the > certificates to the service. > </p> > > <ol> > <li> > Install the CA's certificate in the > service configuration. Send the caller's > individual certificate with the signed > message. This is called "direct reference", > since the signature mark-up in the > SOAP header refers directly to an included > credential. > </li> > <li> > Install both the CA certificate and > the caller's individual certificate in the > service configuration. Send the CA's > name and the serial number of the caller's > certificate in the SOAP message; have > the service retrieve its copy of the certificate > using these metadata. This is called > the "issuer-serial" method. > </li> > </ol> > > <p> > The issuer-serial method presumes that all > trusted users of the service are known to the > service and have pre-registered > their certificate chains before using the > service. The direct-reference method presumes > that the service operator trusts all users > with certificates issued by a trusted CA. > </p> > > <p> > To use the direct-reference method when using > WSDoAllSender to sign the messages, the client must > set a handler property as follows. > </p> > > <pre> > stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); > </pre> > > <p> > To use the issuer-serial method, the property > should be set like this: > </p> > > <pre> > stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial"); > </pre> > > <p> > If the property is not set, the default is to > use the issuer-serial method. > </p> > > </section> > </body> > > </document> > > > On Tue, 9 Aug 2005, Guy Rixon wrote: > > > Thanks, I see now why it was doing that. I thought I _was_ sending the > > certificate in the message. > > > > How do I activate the DirectReference option? It doesn't seem to be > > mentioned > > in the deployment examples. > > > > On Tue, 9 Aug 2005, Dittmann, Werner wrote: > > > > > Guy, > > > > > > to verify a Signature you need the "real" certificate, not > > > only the CA certificate. The CA certificte only proves that > > > the "real" certifcate is ok. If you want avoid to have the > > > real certificate (the one used to sign) in the keystore > > > you could use the DirectReference option. > > > > > > In that case the cretificate is transfered inside the request > > > to the server (coded in base64). > > > > > > Regards, > > > Werner > > > > > > PS. The WSDoAllReceiver conains certificate Path validation. > > > This is implemented in a way that us must have all certificates in > > > the keystroe, even if you send it via DirectReference. This > > > is an open issue we will address in the next time. > > > > > > Werner > > > > > > > -----Ursprüngliche Nachricht----- > > > > Von: Guy Rixon [mailto:[EMAIL PROTECTED] > > > > Gesendet: Dienstag, 9. August 2005 13:25 > > > > An: [email protected] > > > > Betreff: Signature-verification problem in WSS4J > > > > > > > > > > > > Hi, > > > > > > > > I have a problem with WSS4J 1.0.0. I'm trying to use > > > > WSDoAllReceiver to sign a > > > > message and WSDOAllSender to versify the signature. It works > > > > if I give the > > > > server a keystore that contains the senders entire > > > > certificate chain. It fails > > > > if I give the server a keystore containing just the > > > > certificate for the > > > > sender's CA. > > > > > > > > Looking in WSSecurityEngine, and truning on the debug log, it > > > > seems that the WSS4J library-code is trying to get the CA > > > > certificate by first > > > > finding the user's personal certificate (by serial number) > > > > _in the server's > > > > keystore_. It's calling > > > > > > > > getAliasForX509Cert(String issuer, BigInteger serialNumber, true) > > > > > > > > on Merlin. This can't work when the server only has the CA > > > > certificate. > > > > > > > > Maybe I've got it wrongly configured (again). Is there some > > > > setting I need to > > > > make s.t. the server trusts all certificates from a given CA? > > > > > > > > Cheers, > > > > Guy > > > > > > > > Guy Rixon [EMAIL PROTECTED] > > > > Institute of Astronomy Tel: +44-1223-337542 > > > > Madingley Road, Cambridge, UK, CB3 0HA Fax: > > > > +44-1223-337523 > > > > > > > > > > > Guy Rixon [EMAIL PROTECTED] > > Institute of Astronomy Tel: +44-1223-337542 > > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 > > > > Guy Rixon [EMAIL PROTECTED] > Institute of Astronomy Tel: +44-1223-337542 > Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523 > -- Davanum Srinivas -http://blogs.cocoondev.org/dims/
