You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Mike <to...@umiacs.umd.edu> on 2005/07/05 23:01:14 UTC
Signature verification

Hi,
  We're trying to use a SAMLToken w/ holder-of-key for authentication. 
The service side is set up according to the appropriate test case.

	<requestFlow>
             <handler 
type="java:org.apache.ws.axis.security.WSDoAllReceiver">
             <parameter name="action" value="Timestamp Signature 
SAMLTokenUnsigned"/>
             <parameter name="signaturePropFile" 
value="servercrypto.properties" />
             </handler>
         </requestFlow>

servercrypto.properties:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.provider=BC
org.apache.ws.security.crypto.merlin.keystore.password=xxxx
org.apache.ws.security.crypto.merlin.file=gensvr.keystore

Wss4j is able to find the properties, appropriate keystore, and alias in 
that keystore for the certificate issuer, but is unable to verify the 
cert path between client and issuer.

AxisFault
  faultCode: 
{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultSubcode:
  faultString: WSDoAllReceiver: Certificate path verification failed for 
certificate with subject OU=client, OU=umiacs; nested exception is:
         org.apache.ws.security.WSSecurityException: General security 
error (Error during certificate path validation: signature check 
failed); nested exception is:
         java.security.cert.CertPathValidatorException: signature check 
failed

Tracking this down, it appears that the SUN provider that is used by 
default isn't happy when you use bouncycastle to handle keystore 
activity. Changing 'CertPathValidator.getInstance' in Merlin.java to use 
the same provider as the keystore appears to fix this. Am I missing 
something, or is this a bug?

-Mike