I am operating in an environment where I communicate with web services to a group of organization with certs signed by a common CA. This set of organizations is mutable, and I don't want to manage my truststore everytime a new organization joins. However, per my understanding of the specifications when sending a signature it is allowable to only send the modulus/exponent of the public key. When I receive this message, the public key is not enough information to verify whether or not that public key was issued by the CA that I trust.
I would like to write a custom validator which ensures the crypto aspect of this public key and the signature but stops short of trying to establish the trust of the public key. Is there a good resource or tutorial for how I could swap in a custom validator? I am not in love with this solution, however in my scenario the signature is backed by two-way SSL at the transport level, so I am ok with overlooking the trust of the public key at the signature level. Thank you! -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-WSS4J-signature-validation-problem-tp5719033p5720594.html Sent from the cxf-dev mailing list archive at Nabble.com.
