Richard, as said, the basic WSS4J classes don't have this verification built in, the Axis handlers that use this basic classes perform some sort of path verification. Thus it is "built-in" if somebody uses the handlers.
We decided not to do path verification in the basic classes because there are several ways to perform path verification. Maybe a user has several key stores where root certificates can be located or some other way to get a root (or intermediate) certificate. Because of this the WSS4J basic classes only check the validity of the certificate used to sign and/or encrypt. Regards, Werner [EMAIL PROTECTED] wrote: > Wow, that is very suprising. Admittedly I am a security novice, but I > assumed verifying tbe root CA would be basic included, if not required, > functionality. Thanks for the heads up anyway. > > -----Original Message----- > From: Werner Dittmann [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 12, 2006 1:41 AM > To: Hansen, Rick (TLR Corp) > Cc: [email protected] > Subject: Re: How to verify root certificate? > > Richard, > that's correct. WSS4J does not perform the certificate verification. The > WSS4J Axis handlers have some code that perform a basic certificate path > verification. This was done because certificate path verification is > sometime not necessary for basic security (encryption). WSS4J returns > the certificate used for signature verification to the calling > application (WSSecurityEngine does this). > > Regards, > Werner > > [EMAIL PROTECTED] wrote: >> I've searched quite a bit but have found nothing on how to get WSS4J >> to verify the root X509 certificate. Can anyone tell me how or point >> me to an example? >> >> I am using WSS4J programatically (not under Axis) to sign and verify >> SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I > >> have gotten thing things working well except that the root certificate > >> is not verified. I have been using a self-signed cert for testing and >> passing the cert in the BinarySecurityToken. Any certificate seems to >> be trusted, in fact I can even use an empty keystore on the server. >> >> Rick Hansen > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
