Thanks, Colm. In fact the exception is thrown because my Crypto implementation (a PKCS11 hardware security token) used by my client to sign the SOAP request does not contain the certificate used by the server to sign its SOAP response.
The hack I used to make the certificate available is subclassing MerlinDevice. The code is simple but feels very dirty. I wonder if a better way exists or can be added to WSS4J. Il giorno mar 11 ago 2020 alle ore 11:33 Colm O hEigeartaigh < [email protected]> ha scritto: > Yes, it's a valid response. CXF/WSS4J handles the SubjectKeyIdentifier case > as follows: > > > https://github.com/apache/ws-wss4j/blob/420947d684383aeed40a2e41717da6197fb1d9dd/ws-security-common/src/main/java/org/apache/wss4j/common/token/SecurityTokenReference.java#L373 > > This extracts the SKI bytes from the message and asks the Crypto > implementation to match it to a Certificate stored in the keystore: > > > https://github.com/apache/ws-wss4j/blob/7707ffa5bcb1d903eb8e21cbd059dc94649cd5a5/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L1144 > > So the corresponding certificate should be stored in your local signature > keystore and it should work. > > Colm. > > On Mon, Aug 3, 2020 at 8:32 PM Raffaele Sgarro <[email protected]> > wrote: > > > I'm programming a client for a SOAP service that is configured through a > > policy in the WSDL > > <https://gist.github.com/RaffaeleSgarro/60791b4ffdacae692d53c449de6d0ffb > >. > > The service responds with a message that would be perfectly fine to work > > with, but has a signature that makes CXF throw an error and hence halting > > the execution of the program. From the XML of the response I can't tell > if > > there's something wrong with CXF of the response itself, mainly because > the > > piece: > > > > <ds:KeyInfo> > > <wsse:SecurityTokenReference> > > <wsse:KeyIdentifier > > ValueType=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > > " > > EncodingType=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > > "> > > KTK582+s/nxWsbkIeNRTRDH+ju0= > > </wsse:KeyIdentifier> > > </wsse:SecurityTokenReference></ds:KeyInfo> > > > > is not enough for me to understand where the certificate to verify the > > signature is supposed to be found. > > > > The full (and syntax highlighted) XML of the response is here > > < > > > https://stackoverflow.com/questions/63234657/is-the-signature-in-the-following-soap-response-valid-can-it-be-validated-altog > > >. > > Can CXF tell if the message is valid using only the message itself and > the > > given policy? Or do I need some other piece of information? If that's the > > case, how can I pass it? > > > > > > Thanks, > > Raffaele > > >
