Werner, > that's correct. WSS4J does not perform the certificate > verification. The WSS4J Axis handlers have some code that perform a > basic certificate path verification.
I have thought until now that the verifyTrust-method in WSHandler does perform the path-validation completely. First the method looks into the given keystore if there is the certificate to which the message refers to. If the certificate is found in the keystore then the path-validation is done. You can only add a certificate into a keystore if the trusted cert path is also given or already in the keystore. If the certificate is not found in the keystore then the method tries to build the trusted cert-path on its own. (At this point there are two bugs in 1.5, see JIRA WSS-52) Then the Crypto-Module validates the path and throws an WSSException if the path is not trusted. Please correct me if i am wrong. Davanum Srinivas wrote: > Sounds good! any volunteers :) > > -- dims > > On 8/14/06, David Del Vecchio <[EMAIL PROTECTED]> wrote: >> This does seem like it would be useful functionality. Perhaps we can add >> path validation support, but make it configurable with a switch so that >> applications that need it can take advantage of it, but those that don't >> (or need custom processing) are unaffected. >> >> David >> >> On Mon, 14 Aug 2006 07:48:33 -0500 >> <[EMAIL PROTECTED]> wrote: >> >> > Wow, that is very suprising. Admittedly I am a security novice, >> but > I assumed verifying tbe root CA would be basic included, if not >> > required, functionality. Thanks for the heads up anyway. >> > >> > -----Original Message----- >> > From: Werner Dittmann [mailto:[EMAIL PROTECTED] Sent: >> > Saturday, August 12, 2006 1:41 AM >> > To: Hansen, Rick (TLR Corp) >> > Cc: [email protected] >> > Subject: Re: How to verify root certificate? >> > >> > Richard, >> > that's correct. WSS4J does not perform the certificate >> > verification. The WSS4J Axis handlers have some code that perform a >> > basic certificate path verification. This was done because >> certificate >> > path verification is sometime not necessary for basic security >> > (encryption). WSS4J returns >> > the certificate used for signature verification to the calling >> > application (WSSecurityEngine does this). >> > >> > Regards, >> > Werner >> > >> > [EMAIL PROTECTED] wrote: >> > >> > I've searched quite a bit but have found nothing on how to get >> > WSS4J to verify the root X509 certificate. Can anyone tell me how or >> > point me to an example? >> > >> > I am using WSS4J programatically (not under Axis) to sign and >> > verify SOAP messages. Using the WSSecSignature and WSSecurityEngine >> > classes I >> > >> > >> > have gotten thing things working well except that the root >> > certificate >> > >> > >> > is not verified. I have been using a self-signed cert for >> > testing and passing the cert in the BinarySecurityToken. Any >> > certificate seems to be trusted, in fact I can even use an empty >> > keystore on the server. >> > >> > Rick Hansen >> > >> > >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
