> So server checks the trust of the signature by comparing it with the key > from the keystore doesn't it?
Yes, that's one of the steps - "direct trust". If that fails, it checks for the issuer of the client certificate, and the trust path of the issuer. > : when I changed the > keystore (for one containing wrong key) without changing the client side I > still didn't received any error and the message went fine. That would be a major bug if true. Can you check this again, and possibly submit a test-case? > As for passwordCallbackClass I thought that in case of "Signature" action > this class is used to obtain password to the entry in keystore for given > alias (in signaturePropFile I have only password to the keystore itself). > Isn't that true? Yes it is. But on the inbound side, you only need the public key to verify a signature. You only need a password to access the corresponding private key in the keystore. Colm. -----Original Message----- From: Lukasz L. [mailto:[email protected]] Sent: 12 December 2008 18:41 To: [email protected] Subject: RE: Signature question Hi Colm, thank you for the reply, So server checks the trust of the signature by comparing it with the key from the keystore doesn't it? That makes sense but I experienced something other: when I changed the keystore (for one containing wrong key) without changing the client side I still didn't received any error and the message went fine. Am I missing something in the configuration? As for passwordCallbackClass I thought that in case of "Signature" action this class is used to obtain password to the entry in keystore for given alias (in signaturePropFile I have only password to the keystore itself). Isn't that true? Lukasz Colm O hEigeartaigh wrote: > > >> Please see >> http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457 > > In your WSS4JInInterceptor config, you don't need the > "passwordCallbackClass" property, as to verify a signature you only need > the public key and hence no password. > >> "Does server really uses the key from >> signaturePropFile to verify the signature on incoming message? What's > the >> role of BinarySecurityToken in incoming message then?" > > The BinarySecurityToken contains the X509 certificate which corresponds > to the key that was used to sign the message. This is all that's needed > to verify the signature on the inbound side. The problem the message > consumer is faced with then is, ok I have a valid signature, but is the > "signee" who he/she says they are? The keystore referenced in the > signaturePropFile on the server side should contain the public key of > the client, or preferably the certificate of the CA that issued the > client cert, and this is used to verify trust on the signature. > > Colm. > > > -- View this message in context: http://www.nabble.com/Signature-question-tp20978463p20981225.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
