Thanks Werner, In my case I have an easy work-around, as the clients of our web services are few. I can just deploy a different group of services for every customer and have a different keystore for each of them, therefore only the right clients would have a trusted certificate for a particular group of services.
I guess adding some functionality to check the certificate contents (something like the PasswordCallBack) could be useful for a future version of WSS4J. Juan -----Original Message----- From: Werner Dittmann [mailto:[EMAIL PROTECTED] Sent: 16 September 2005 07:37 To: Juan Cervera Cc: Granqvist, Hans; [email protected] Subject: Re: Signature question In that case you application has to check the certificate's subject. WSS4J checks if the Signature is ok according to the keys stored in the certificate. WSS4J cannot check if the Signature comes from the "right" sender. Using the result structure an application can access the X.509 certificate used to check the Signature. Using the cert you may now check inf the Signature conforms to your requirements. Regards, Werner Juan Cervera wrote: > Thanks Hans, > > My problem is, how does the server know that the message comes from B > and not from A? If I want to process differently the messages from A > than those from B I would need to know which message is from who. I > don't see anything in WSS4J that allows me to do that check, the only > thing that seems to let me do is to ensure that the certificate is > actually trusted and that the DigestValue corresponds to it, as far as > that is right it will accept the message, so a message could be either > from A or B but I won't know ... > > Best Regards, > > --------------------------------------------------- > > Juan Cervera > Technical Architect > Nomad Software Limited > 186 Regent Street > London W1B 5TN > UK > > Direct Tel: +44 (0) 20 7292 2490 > Fax: +44 (0) 20 7292 2401 > > --------------------------------------------------- > > This e-mail (including attachments) is confidential and is intended > solely for the addressee. Unless authorised you may not read, copy, > use or store this e-mail in any way, or permit others to do so. If > you have received it in error, please contact Nomad Software on +44 > (0) 20 7292 2400. > > > ---------------------------------------------------------------------- > -- > *From:* Granqvist, Hans [mailto:[EMAIL PROTECTED] > *Sent:* 15 September 2005 15:26 > *To:* Juan Cervera; [email protected] > *Subject:* RE: Signature question > > Hi Juan, > > Anyone can replace any signature unless it is covered by another > signature, but that just creates a new message. > > In your example, the message the server receives says "B signed this" > instead of the original "A signed this". B did in fact (re-)sign it, > even if B changed the content before signing. > > This is equal to just replacing the message with a new one. The server > receives a message from B instead of A, and has to treat it accordingly. > If the server must process messages from B differently than messages > from A, there is no way around checking the DN of the cert used for > signing. > > Hans > > > ------------------------------------------------------------------------ > *From:* Juan Cervera [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, September 15, 2005 2:40 AM > *To:* [email protected] > *Subject:* Signature question > > Hi, > > I have a question about signature with WSS4J, it is more a > conceptual question than a technical one, hopefully someone can > clarify this to me as I'm a bit confused about it right now. > > When a client signs a message, the header gets the DigestValue with > the signature and the KeyInfo with the certificate used to sign the > body (or any other tokens). The server receives the message, > validates the certificate in its keystore and verifies the DigestValue. > > My problem is the following, how does the server know, assuming that > the DigestValue is fine for that certificate, that this certificate > is in fact the one that the message had when was generated and that > nobody has changed both certificate and DigestValue at some point? > > Lets say that there are two clients that access that server, both > have a certificate created from the same root CA key. If the server > just checks if the certificate is in the keystore how can it ensure > that the signature and the certificate are really the ones sent by > client A? the message may have been intercepted by client B (which > has as well a valid certificate) who has just dropped the > certificate and the DigestValue and replaced them with his own > certificate and generate a new valid DigestValue after changing the > body in whatever way they wanted! How can I detect this kind of > tampering? I know that the certificates carry information about > their owners, but I don't see any place in WSS4J where I can ask for > that kind of verification, which would sort this issue. > > I know I could deal with this by having different keystores with > different root CA keys for every client, that would require a > different server per client though, in my case that is not an issue > but I cannot believe that the specification cannot deal with this, > so probably some of my assumptions are not right or I have missed > some functionality in some place. > > Any help? > > Thanks, > > Juan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
