Encryption operates very differently than signature processing. You can relate it to do
ssl mutual auth, or pgp.
In order to use encryption you need 2 key pairs (public/private) for each party; in spirit
of old school cryptography lets call them bob and alice. In order to send an encrypted
message to Alice, Bob must have her public key. He encrypts the message to Alice, using
her public key, which she can then decrypt using her private key. Likewise when she
replies to the message she uses Bob's public key to encrypt the message, and he uses
his private key to decrypt the message.
Now when sending these messages WS-Security needs to know which public key the message was
encrypted with. To do this, one mechanism is to send the X509 token of the public cert in
the message. However this causes another form of validation to occur. WS-Security requires
that all tokens be validated. So therefore Bob and Alice need to trust their own public
keys.
Here is the setup
bobs.keystore
---------------
bob - keyPair (public + private key)
alice - trustedCertEntry (just alice's public key)
bobs.truststore
----------------
bob - trustedCertEntry (just bob's public key)
alices.keystore
-----------------
alice - keyPair (public + private key)
bob - trustedCertEntry (just bob's public key)
alices.trustore
----------------
alice - trustedCertEntry (just alice's public key)
Note, this is just for encryption, to enable signing as well you need to also add a trust
entry for the other party, since in signature processing it's the public key that is
used for decryption.
Let me know if you have any other questions.
-Jason
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032846#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...