Announcement Announcement Module
No announcement yet.
Encrypting Response w/Client's Public Key Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encrypting Response w/Client's Public Key


    I have a basic web service working using Spring-WS secured using XWS. Basically both the client and server require encryption and both require messages to be signed. So far I have been successful in doing this; the only problem is that in my server's XWS policy file, I have to hard code the alias of the entry in the keystore for encrypting the response. What I would *LIKE* to do is have the server automatically encrypt the response using the public key that is contained within the message from the client. The problem is, I don't know how to configure this, and I can't seem to find any information on how to do this.

    I would appreciate any pointers regarding this. However I'm wondering...if there's no practical way of doing this (which doesn't seem plausible), should I instead just be using a shared symmetric key for performing encryption/decryption of the messages?

    Thank you,


  • #2
    Why don't you just encrypt with the server's private key and have the client decrypt with the public key? What I mean is, each endpoint should be encrypting with its private key and decrypting with the other party's public key.


    • #3
      But that's not how a PKI system works. In a PKI system, you perform encryption operations with the recipient's public key, and the recipient decrypt's with their own private key. This is how XWSS works (and Spring-WS makes it easy to work w/XWSS via interceptors and whatnot).

      Besides, there's no point in encrypting something (except in the case when dealing with signatures) with your own private key because anybody with your public key can decrypt it.

      I did actually find this link:

      which describes EXACTLY what I want to do. I'm now in the process of hacking the "KeyStoreCallbackHandler" code in order to do this. I'll update this post as I make progress.


      • #4
        Doh! Of course you're right, and I'm an idiot. This is what I get for surfing message boards before I've had my morning coffee!


        • #5
          Hey, you may want to look at the solution in this thread:

          Encrypt response using client-supplied public key in XWSS and WSS4J