Hi,
I am working on a web services project where the client is Java and the
server is on .NET WSE 2.0 SP2.
I got "Referenced security token could not be retrieved" from .NET server.
For Security Token References, I have the following understanding:
1. If the KeyIdentifier is set to WSConstants.BST_DIRECT_REFERENCE, the
whole cert will be transferred to the receiver. And the receiver will
extract the certificate to do verification. But the receiver should also
verify that the certificate transferred is not tampered by checking BOTH the
signature of the certificate's CA and the thumbprint of the certificate. The
certificate thumbprint should be passed to the receiver offline before hand.
Is this correct?
2. If the KeyIdentifier is set to WSConstants.ISSUER_SERIAL, only the
issuser name and the serial number of the certificate will be transferred to
the receiver. The certificate should have been passed to the receiver
offline before handle. The receiver will get store the certificate in
keystore and fetch the certificate at runtime according to the issuer name
and serial number. Is this correct?
3. If the KeyIdentifier is set to WSConstants.X509_KEY_IDENTIFIER, "the
certificate is converted into a KeyIdentifier token and sent to the
receiver" (according to WSS4J source code), but is the whole certificate
transferred to the receiver? How does this option differentiate from
WSConstants.BST_DIRECT_REFERENCE?
4. If the KeyIdentifier is set to WSConstants.SKI_KEY_IDENTIFIER, a
"SubjectKeyIdentifier" (SKI extension) will be sent to the receiver. In this
case, the receiver should also have already got the certificate in his
keystore (Is this correct?).
5. I don't really know the difference between X509_KEY_IDENTIFIER and
SKI_KEY_IDENTIFIER. Is it true that KEY_IDENTIFIER will definitely not
include the SKI extension and SKI_KEY_IDENTIFIER will always include SKI
extension during the KEY_IDENTIFIER generation?
Could anyone enlighten me?
Regards,
Xinjun
