AP not configured to send its own x509 cert back to message exchange initiator.

Published on: 29/03/2011

Current SVN head wsdl for ap seems to specify: <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/…"> <wsp:Policy> <sp:WssX509V3Token10/> <sp:RequireKeyIdentifierReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> It means that x509 certificate is never send back to sender. This means that sender has to have AP x509 certificate in its trust store to allow transmission to occur. Also start spec documentation specfies that AP should sign and also put BinarySecurityToken containing certificate reply so that client could then work its trust to ap via that. Anyhow changing tag to this seems to make all difference(Never->Allways): <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/…"> <wsp:Policy> <sp:WssX509V3Token10/> <sp:RequireKeyIdentifierReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> now it allways sends certs back to sending party. I tested this with my sender client not working if ap cert is not in trust store and after i changed the value it started working as supposed(not requiring ap cert to be in trust, but conveying trust via trusting the same ca) I noticed this behavior when doing interop test and dumping soap frames trying to find what goes wrong. also i dunno know if this is intentional and i may have just subpar understanding on spec but correct if i got it all wrong. jk

ProductJava START
Operating SystemNone
ComponentAccess Point




jussikin (not verified)
Fri, 01/04/2011 - 19:56

Gotta add that testing with only one cert would not reveal this kind of bug internally. To find out this kind of situations testing with at least 2 certs given by same CA would be necessary. I heard some faint rumors that is bit hard to get more test ap certs from peppol test ca. Is that true? jk