Hello, I have a question about our public key certificate WS-Security sample/test (link at very bottom of [1]). The particular files I'm concerned about here are client.xml[2] and the similar server.xml in the same folder.
The client.xml file references a KeystorePasswordCallback handler[3], which is used for obtaining the passwords to keys stored in a keystore. (This is apparently not for the keystore password--that's hardcoded in the properties file as in [4]--but the passwords for individual keys within it.) I see no problem with a KeystorePasswordCallback for *private* keys (namely, when the service is decrypting the SOAP request using its private key, or signing the response with the same; or when the client is signing the request with its private key or decrypting the response with the same) but I don't think it should need to be used with public keys stored in a trust store. I.e., once I load a a public key into a trust store using a command such as: keytool -import -noprompt -trustcacerts -alias MyServer -file MyServer.cer -keystore MyTrustStore A password should *not* be needed for obtaining this key, correct? In other words, for the client to encrypt the SOAP request with the service's public key, or verify the signature of the SOAP response with the same, no password should be needed to obtain that public key from the keystore. It seems strange, because it appears that WSS4J (or at least our configuration of it), is wanting a password for public keys. Thanks, Glen [1] http://cwiki.apache.org/confluence/x/pME [2] http://tinyurl.com/6rwhz6 [3] http://tinyurl.com/62r6s5 [4] http://tinyurl.com/5vv6wy -- View this message in context: http://www.nabble.com/KeystorePasswordCallback-in-CXF%27s-WS-Security-sample-tp18631505p18631505.html Sent from the cxf-user mailing list archive at Nabble.com.
