Retrieving certificate from SecurityTokenReference reference.

[rafael-andrade]

Hi team,

I have a question regarding the process of validating the signature. I need to configure a Crypto to validate the signature. Why do I need that?

phase4/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java

Line 151 in 8ec05af

aRequestData.setSigVerCrypto (m_aCryptoFactorySign.getCrypto (ECryptoMode.DECRYPT_VERIFY));

The certificate is already provided in SecurityTokenReference reference inside the signature, which is the certificate used to sign the document.

• Why would I need a Crypto for that?
• Is it possible to validate the signature without providing the crypto?
• Can I create the crypto with the certificate that is already provided in SecurityTokenReference?

[phax]

Hi @rafael-andrade,
If you are thinking about Peppol, than indeed each certificate is provided as a Binary Security Token (BST). However, in other scenarios the certificate information is exchanged differently (e.g. via Subject Key Identifier, SKI).

May I ask, why that is an issue for you?
What profile are you using?

[rafael-andrade]

@phax Hi Philip,

Yes, my question is Peppol related. When we receive a AS4 User Message, the public key should be retrieved from SMP or from inside the security header (at least in my thoughts, I am not sure if I am completely right here).

I am not understanding how the Crypto is being loaded/handled in this particular case, since the certificate will be "dynamically" as it is based on the sender.

[phax]

Incoming BSTs are handled by class BinarySecurityTokenProcessor in wss4j. This class is requiring the Crypto object to be set for parsing the certificate.

[rafael-andrade]

I understand that, the problem is that when receiving a message, the Crypto does not have the certificate that is present in the signature (which must be loaded dynamically) and certificate is considered as non-trusted. I suppose that ignoring completely the trust verification is not a good practice.

So I am trying to understand how to setup the crypto for certificate verification for inbound messages.

Caused by: org.apache.wss4j.common.ext.WSSecurityException: Error during certificate path validation: No trusted certs found

[rafael-andrade]

My bad to be honest, checking the verifyTrust code inside WSS4J Merlin class or CertificateStore class I could see that certificate does not need be the same as it is inside the KeyStore/TrustStore. It tries to validate it directly (same certificate) but if it does not match it then tries to validate the issuer.

My initial thought was that the exact same certificate must be present inside the KeyStore/TrustStore, which is not correct.