Hi Jan, Yes I think you are correct - go ahead and file a JIRA. I think it should fall back to the signature Crypto object if the encryption Crypto object is not specified.
Colm. On Thu, Jan 12, 2012 at 11:15 AM, janb <[email protected]> wrote: > Hi I think I found a bug in X509TokenValidator class, but before posting a > new jira entry I would like to get your confirmation in this behalf. > > As far as I understand this matter and please correct me if I'm wrong: > There are two crypto handler I can configure: > <entry key="ws-security.signature.crypto" value-ref="..."/> > <entry key="ws-security.encryption.crypto" value-ref="..."/> > > ws-security.signature.crypto is for my own signature, when sending messages, > and to decrypt messages, which have been send to me. (here is my private > key) > ws-security.encryption.crypto is for encrypting messages before sending and > validating of signatures in received messages. (here are all my trusted > public keys/CAs) > > If this is correct, I assume that the following line (101) in cxf Version > 2.5.0 needs to be updated: > > Crypto sigCrypto = stsProperties.getSignatureCrypto(); > > Because here the signature of a received message should be verified, but the > crypto provider for my own signature is called/used. > > ((I want to store my private key in a local keystore and get public keys via > an XKMS CryptoProvider. As far as I understud this would not word with this > X509TokenValidator...)) > > Best regards > Jan > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/X509TokenValidator-tp5139681p5139681.html > Sent from the cxf-dev mailing list archive at Nabble.com. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
