You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Lukasz L." <Lu...@sabre.com> on 2008/12/12 17:07:48 UTC
Signature question
Hi,
Maybe I should have asked this question here as it concerns WSS4J.
Please see
http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457
Especially the question "Does server really uses the key from
signaturePropFile to verify the signature on incoming message? What's the
role of BinarySecurityToken in incoming message then?"
--
View this message in context: http://www.nabble.com/Signature-question-tp20978463p20978463.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Signature question
Posted by "Lukasz L." <Lu...@sabre.com>.
I did more tests and it seems that the problem is elsewhere (WSS4J works ok).
I updated original thread with the explanation
thanks for help
Colm O hEigeartaigh wrote:
>
>
>> : when I changed the
>> keystore (for one containing wrong key) without changing the client
> side I
>> still didn't received any error and the message went fine.
>
> That would be a major bug if true. Can you check this again, and
> possibly submit a test-case?
>
>
--
View this message in context: http://www.nabble.com/Signature-question-tp20978463p21014601.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Signature question
Posted by Colm O hEigeartaigh <co...@progress.com>.
> So server checks the trust of the signature by comparing it with the
key
> from the keystore doesn't it?
Yes, that's one of the steps - "direct trust". If that fails, it checks
for the issuer of the client certificate, and the trust path of the
issuer.
> : when I changed the
> keystore (for one containing wrong key) without changing the client
side I
> still didn't received any error and the message went fine.
That would be a major bug if true. Can you check this again, and
possibly submit a test-case?
> As for passwordCallbackClass I thought that in case of "Signature"
action
> this class is used to obtain password to the entry in keystore for
given
> alias (in signaturePropFile I have only password to the keystore
itself).
> Isn't that true?
Yes it is. But on the inbound side, you only need the public key to
verify a signature. You only need a password to access the corresponding
private key in the keystore.
Colm.
-----Original Message-----
From: Lukasz L. [mailto:Lukasz.Lichota@sabre.com]
Sent: 12 December 2008 18:41
To: wss4j-dev@ws.apache.org
Subject: RE: Signature question
Hi Colm,
thank you for the reply,
So server checks the trust of the signature by comparing it with the key
from the keystore doesn't it?
That makes sense but I experienced something other: when I changed the
keystore (for one containing wrong key) without changing the client side
I
still didn't received any error and the message went fine.
Am I missing something in the configuration?
As for passwordCallbackClass I thought that in case of "Signature"
action
this class is used to obtain password to the entry in keystore for given
alias (in signaturePropFile I have only password to the keystore
itself).
Isn't that true?
Lukasz
Colm O hEigeartaigh wrote:
>
>
>> Please see
>> http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457
>
> In your WSS4JInInterceptor config, you don't need the
> "passwordCallbackClass" property, as to verify a signature you only
need
> the public key and hence no password.
>
>> "Does server really uses the key from
>> signaturePropFile to verify the signature on incoming message? What's
> the
>> role of BinarySecurityToken in incoming message then?"
>
> The BinarySecurityToken contains the X509 certificate which
corresponds
> to the key that was used to sign the message. This is all that's
needed
> to verify the signature on the inbound side. The problem the message
> consumer is faced with then is, ok I have a valid signature, but is
the
> "signee" who he/she says they are? The keystore referenced in the
> signaturePropFile on the server side should contain the public key of
> the client, or preferably the certificate of the CA that issued the
> client cert, and this is used to verify trust on the signature.
>
> Colm.
>
>
>
--
View this message in context:
http://www.nabble.com/Signature-question-tp20978463p20981225.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Signature question
Posted by "Lukasz L." <Lu...@sabre.com>.
Hi Colm,
thank you for the reply,
So server checks the trust of the signature by comparing it with the key
from the keystore doesn't it?
That makes sense but I experienced something other: when I changed the
keystore (for one containing wrong key) without changing the client side I
still didn't received any error and the message went fine.
Am I missing something in the configuration?
As for passwordCallbackClass I thought that in case of "Signature" action
this class is used to obtain password to the entry in keystore for given
alias (in signaturePropFile I have only password to the keystore itself).
Isn't that true?
Lukasz
Colm O hEigeartaigh wrote:
>
>
>> Please see
>> http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457
>
> In your WSS4JInInterceptor config, you don't need the
> "passwordCallbackClass" property, as to verify a signature you only need
> the public key and hence no password.
>
>> "Does server really uses the key from
>> signaturePropFile to verify the signature on incoming message? What's
> the
>> role of BinarySecurityToken in incoming message then?"
>
> The BinarySecurityToken contains the X509 certificate which corresponds
> to the key that was used to sign the message. This is all that's needed
> to verify the signature on the inbound side. The problem the message
> consumer is faced with then is, ok I have a valid signature, but is the
> "signee" who he/she says they are? The keystore referenced in the
> signaturePropFile on the server side should contain the public key of
> the client, or preferably the certificate of the CA that issued the
> client cert, and this is used to verify trust on the signature.
>
> Colm.
>
>
>
--
View this message in context: http://www.nabble.com/Signature-question-tp20978463p20981225.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: Signature question
Posted by Colm O hEigeartaigh <co...@progress.com>.
> Please see
> http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457
In your WSS4JInInterceptor config, you don't need the
"passwordCallbackClass" property, as to verify a signature you only need
the public key and hence no password.
> "Does server really uses the key from
> signaturePropFile to verify the signature on incoming message? What's
the
> role of BinarySecurityToken in incoming message then?"
The BinarySecurityToken contains the X509 certificate which corresponds
to the key that was used to sign the message. This is all that's needed
to verify the signature on the inbound side. The problem the message
consumer is faced with then is, ok I have a valid signature, but is the
"signee" who he/she says they are? The keystore referenced in the
signaturePropFile on the server side should contain the public key of
the client, or preferably the certificate of the CA that issued the
client cert, and this is used to verify trust on the signature.
Colm.
-----Original Message-----
From: Lukasz L. [mailto:Lukasz.Lichota@sabre.com]
Sent: 12 December 2008 16:08
To: wss4j-dev@ws.apache.org
Subject: Signature question
Hi,
Maybe I should have asked this question here as it concerns WSS4J.
Please see
http://cwiki.apache.org/SM/discussion-forums.html#nabble-td20857457
Especially the question "Does server really uses the key from
signaturePropFile to verify the signature on incoming message? What's
the
role of BinarySecurityToken in incoming message then?"
--
View this message in context:
http://www.nabble.com/Signature-question-tp20978463p20978463.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org