Wow, that is very suprising. Admittedly I am a security novice, but I assumed verifying tbe root CA would be basic included, if not required, functionality. Thanks for the heads up anyway.
-----Original Message----- From: Werner Dittmann [mailto:[EMAIL PROTECTED] Sent: Saturday, August 12, 2006 1:41 AM To: Hansen, Rick (TLR Corp) Cc: [email protected] Subject: Re: How to verify root certificate? Richard, that's correct. WSS4J does not perform the certificate verification. The WSS4J Axis handlers have some code that perform a basic certificate path verification. This was done because certificate path verification is sometime not necessary for basic security (encryption). WSS4J returns the certificate used for signature verification to the calling application (WSSecurityEngine does this). Regards, Werner [EMAIL PROTECTED] wrote: > I've searched quite a bit but have found nothing on how to get WSS4J > to verify the root X509 certificate. Can anyone tell me how or point > me to an example? > > I am using WSS4J programatically (not under Axis) to sign and verify > SOAP messages. Using the WSSecSignature and WSSecurityEngine classes I > have gotten thing things working well except that the root certificate > is not verified. I have been using a self-signed cert for testing and > passing the cert in the BinarySecurityToken. Any certificate seems to > be trusted, in fact I can even use an empty keystore on the server. > > Rick Hansen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
