[jboss-user] [JBossWS] - Re: WS-Security: keystores and truststores

[jason.greene@jboss.com]

Encryption operates very differently than signature processing. You can relate it to do ssl mutual auth, or pgp. 

In order to use encryption you need 2 key pairs (public/private) for each party; in spirit of old school cryptography lets call them bob and alice.  In order to send an encrypted message to Alice, Bob must have her public key. He encrypts the message to Alice, using her public key, which she can then decrypt using her private key. Likewise when she replies to the message she uses Bob's public key to encrypt the message, and he uses his private key to decrypt the message. 

Now when sending these messages WS-Security needs to know which public key the message was encrypted with. To do this, one mechanism is to send the X509 token of the public cert in the message. However this causes another form of validation to occur. WS-Security requires that all tokens be validated. So therefore Bob and Alice need to trust their own public keys.

Here is the setup
bobs.keystore
---------------
bob - keyPair (public + private key)
alice - trustedCertEntry (just alice's public key)

bobs.truststore
----------------
bob - trustedCertEntry (just bob's public key)

alices.keystore
-----------------
alice - keyPair (public + private key)
bob - trustedCertEntry (just bob's public key)

alices.trustore
----------------
alice - trustedCertEntry (just alice's public key)


Note, this is just for encryption, to enable signing as well you need to also add a trust entry for the other party, since in signature processing it's the public key that is used for decryption.

Let me know if you have any other questions.

-Jason

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032846#4032846

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4032846