For the record, the answer is "yes". Apache CXF ships with a WSS4J Crypto implementation that can be used to perform locate + validate calls to an XKMS service to retrieve + validate X.509 Certificates when used with WS-Security. See here for more information:
http://cxf.apache.org/docs/xml-key-management-service-xkms.html
Colm.