You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by ri...@thomson.com on 2006/08/11 19:05:31 UTC

How to verify root certificate?

I've searched quite a bit but have found nothing on how to get WSS4J to
verify the root X509 certificate. Can anyone tell me how or point me to
an example?
 
I am using WSS4J programatically (not under Axis) to sign and verify
SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I
have gotten thing things working well except that the root certificate
is not verified. I have been using a self-signed cert for testing and
passing the cert in the BinarySecurityToken. Any certificate seems to be
trusted, in fact I can even use an empty keystore on the server.
 
Rick Hansen

Re: How to verify root certificate?

Posted by Guy Rixon <gt...@ast.cam.ac.uk>.

The Java CoG ("Commodity Grid") kit has some code to check certificate paths.
I use that with WSS4J (although I had to do violence to WSS4J to put in the
CoG stuff). It also handles RFC3820 proxy certificates. See
http://www.globus.org/ for details.

On Sat, 12 Aug 2006, Werner Dittmann wrote:

> Richard,
> that's correct. WSS4J does not perform the certificate verification. The
> WSS4J Axis handlers have some code that perform a basic certificate path
> verification. This was done because certificate path verification is
> sometime not necessary for basic security (encryption). WSS4J returns
> the certificate used for signature verification to the calling application
> (WSSecurityEngine does this).
>
> Regards,
> Werner
>
> richard.hansen@thomson.com wrote:
> > I've searched quite a bit but have found nothing on how to get WSS4J to
> > verify the root X509 certificate. Can anyone tell me how or point me to
> > an example?
> >
> > I am using WSS4J programatically (not under Axis) to sign and verify
> > SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I
> > have gotten thing things working well except that the root certificate
> > is not verified. I have been using a self-signed cert for testing and
> > passing the cert in the BinarySecurityToken. Any certificate seems to be
> > trusted, in fact I can even use an empty keystore on the server.
> >
> > Rick Hansen
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>

Guy Rixon 				        gtr@ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: How to verify root certificate?

Posted by Guy Rixon <gt...@ast.cam.ac.uk>.

The Java CoG ("Commodity Grid") kit has some code to check certificate paths.
I use that with WSS4J (although I had to do violence to WSS4J to put in the
CoG stuff). It also handles RFC3820 proxy certificates. See
http://www.globus.org/ for details.

On Sat, 12 Aug 2006, Werner Dittmann wrote:

> Richard,
> that's correct. WSS4J does not perform the certificate verification. The
> WSS4J Axis handlers have some code that perform a basic certificate path
> verification. This was done because certificate path verification is
> sometime not necessary for basic security (encryption). WSS4J returns
> the certificate used for signature verification to the calling application
> (WSSecurityEngine does this).
>
> Regards,
> Werner
>
> richard.hansen@thomson.com wrote:
> > I've searched quite a bit but have found nothing on how to get WSS4J to
> > verify the root X509 certificate. Can anyone tell me how or point me to
> > an example?
> >
> > I am using WSS4J programatically (not under Axis) to sign and verify
> > SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I
> > have gotten thing things working well except that the root certificate
> > is not verified. I have been using a self-signed cert for testing and
> > passing the cert in the BinarySecurityToken. Any certificate seems to be
> > trusted, in fact I can even use an empty keystore on the server.
> >
> > Rick Hansen
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>

Guy Rixon 				        gtr@ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: How to verify root certificate?

Posted by Werner Dittmann <We...@t-online.de>.

Richard,
that's correct. WSS4J does not perform the certificate verification. The
WSS4J Axis handlers have some code that perform a basic certificate path
verification. This was done because certificate path verification is
sometime not necessary for basic security (encryption). WSS4J returns
the certificate used for signature verification to the calling application
(WSSecurityEngine does this).

Regards,
Werner

richard.hansen@thomson.com wrote:
> I've searched quite a bit but have found nothing on how to get WSS4J to
> verify the root X509 certificate. Can anyone tell me how or point me to
> an example?
>  
> I am using WSS4J programatically (not under Axis) to sign and verify
> SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I
> have gotten thing things working well except that the root certificate
> is not verified. I have been using a self-signed cert for testing and
> passing the cert in the BinarySecurityToken. Any certificate seems to be
> trusted, in fact I can even use an empty keystore on the server.
>  
> Rick Hansen

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: How to verify root certificate?

Posted by Werner Dittmann <We...@t-online.de>.

Richard,
that's correct. WSS4J does not perform the certificate verification. The
WSS4J Axis handlers have some code that perform a basic certificate path
verification. This was done because certificate path verification is
sometime not necessary for basic security (encryption). WSS4J returns
the certificate used for signature verification to the calling application
(WSSecurityEngine does this).

Regards,
Werner

richard.hansen@thomson.com wrote:
> I've searched quite a bit but have found nothing on how to get WSS4J to
> verify the root X509 certificate. Can anyone tell me how or point me to
> an example?
>  
> I am using WSS4J programatically (not under Axis) to sign and verify
> SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I
> have gotten thing things working well except that the root certificate
> is not verified. I have been using a self-signed cert for testing and
> passing the cert in the BinarySecurityToken. Any certificate seems to be
> trusted, in fact I can even use an empty keystore on the server.
>  
> Rick Hansen

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org