Hi I think I found a bug in X509TokenValidator class, but before posting a new jira entry I would like to get your confirmation in this behalf.
As far as I understand this matter and please correct me if I'm wrong: There are two crypto handler I can configure: <entry key="ws-security.signature.crypto" value-ref="..."/> <entry key="ws-security.encryption.crypto" value-ref="..."/> ws-security.signature.crypto is for my own signature, when sending messages, and to decrypt messages, which have been send to me. (here is my private key) ws-security.encryption.crypto is for encrypting messages before sending and validating of signatures in received messages. (here are all my trusted public keys/CAs) If this is correct, I assume that the following line (101) in cxf Version 2.5.0 needs to be updated: Crypto sigCrypto = stsProperties.getSignatureCrypto(); Because here the signature of a received message should be verified, but the crypto provider for my own signature is called/used. ((I want to store my private key in a local keystore and get public keys via an XKMS CryptoProvider. As far as I understud this would not word with this X509TokenValidator...)) Best regards Jan -- View this message in context: http://cxf.547215.n5.nabble.com/X509TokenValidator-tp5139681p5139681.html Sent from the cxf-dev mailing list archive at Nabble.com.
