Encrypting Response w/Client's Public Key

**evanspa** · Apr 5th, 2009, 06:19 PM

Greetings,

I have a basic web service working using Spring-WS secured using XWS. Basically both the client and server require encryption and both require messages to be signed. So far I have been successful in doing this; the only problem is that in my server's XWS policy file, I have to hard code the alias of the entry in the keystore for encrypting the response. What I would *LIKE* to do is have the server automatically encrypt the response using the public key that is contained within the message from the client. The problem is, I don't know how to configure this, and I can't seem to find any information on how to do this.

I would appreciate any pointers regarding this. However I'm wondering...if there's no practical way of doing this (which doesn't seem plausible), should I instead just be using a shared symmetric key for performing encryption/decryption of the messages?

Thank you,

-Paul

**themodernlife** · Apr 6th, 2009, 09:44 AM

Why don't you just encrypt with the server's private key and have the client decrypt with the public key? What I mean is, each endpoint should be encrypting with its private key and decrypting with the other party's public key.

**evanspa** · Apr 6th, 2009, 03:16 PM

But that's not how a PKI system works. In a PKI system, you perform encryption operations with the recipient's public key, and the recipient decrypt's with their own private key. This is how XWSS works (and Spring-WS makes it easy to work w/XWSS via interceptors and whatnot).

Besides, there's no point in encrypting something (except in the case when dealing with signatures) with your own private key because anybody with your public key can decrypt it.

I did actually find this link:

http://java.sun.com/webservices/docs....html#wp569848

which describes EXACTLY what I want to do. I'm now in the process of hacking the "KeyStoreCallbackHandler" code in order to do this. I'll update this post as I make progress.

**themodernlife** · Apr 6th, 2009, 03:48 PM

Doh! Of course you're right, and I'm an idiot. This is what I get for surfing message boards before I've had my morning coffee!

**olo** · Jun 3rd, 2009, 10:20 AM

Hey, you may want to look at the solution in this thread:

Encrypt response using client-supplied public key in XWSS and WSS4J

Thread: Encrypting Response w/Client's Public Key

Thread Tools

Display

Encrypting Response w/Client's Public Key

Tags for this Thread

Posting Permissions