Take a look at this blog post that implements the implementation of the WSS4J Crypto interface created by extending CryptoBase , obtaining public keys from a centralized PKI repository, and the private key from the default cryptographic provider ( Merlin ) in the local key repository, as usual.
In your case, if you want to continue using the default keystore for public keys, you can reverse the implementation of public / private key searches.
Source Code Links: WSS4J Merlin.java extends CryptoBase.java