Oleg
Oleg

Reputation: 3014

Apache CXF - configure WSS4J to extract server's x.509 certificate from SOAP header

I'm communicating with the server which inserts its X.509 certificate as Binary Security Token in SOAP response header. How can I configure my WSS4JInInterceptor accordingly?

Here is my code which expects the certificate to be in a JKS keystone

// for incoming messages: Signature and Timestamp validation. Response is Encrypted
        inProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.ENCRYPT);
        inProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
        inProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientKeystorePasswordCallbackHandler.class.getName());
        inProps.put(WSHandlerConstants.SIG_PROP_FILE, "server_sec.properties");
        inProps.put(WSHandlerConstants.DEC_PROP_FILE, "client_sec.properties");

        wss4JInInterceptor = new WSS4JInInterceptor(inProps);

server_sec.properties:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.keystore.alias=ver2
org.apache.ws.security.crypto.merlin.file=certs/kontaktinfo-server-test.jks

How can I reconfigure it to extract the certificate from Binary Security Token instead?

Upvotes: 1

Views: 1042

Answers (1)

Colm O hEigeartaigh
Colm O hEigeartaigh

Reputation: 1900

If the response references a certificate in the security header, then WSS4J will handle it without any configuration changes required. However, you still need to configure at least a trust-store, to verify trust in the certificate. So your "signing" keystore configuration must at least have the issuing cert of the cert used to verify the signature.

Upvotes: 1

Related Questions