You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/11/09 18:51:06 UTC
[jira] Updated: (WSS-40) WSSecurityEngine does not support chained
certificates
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-40:
-----------------------------------
Attachment: wss40-trunk-revised.patch
Hi Seumas,
Please take a look at a revised patch for this issue (for trunk). If you could ok it, and test it against your certs etc., that would be great.
I did some refactoring of trust verification in SignatureProcessor. Basically, if there is only one certificate it validates it using the old logic, and if there is more than one then it just validates the certificate path directly. You don't need to check whether the type was a PKI chain or not, as the BinarySecurityTokenProcessor takes care of that already.
If you agree with the basic approach, I'll retrofit it to 1_5_x-fixes. You asked before when this could be released on that branch...I'm thinking of getting 1.5.10 out at the end of this month.
Colm.
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
> Attachments: wss-40-test.patch, wss40-trunk-revised.patch, wss40.patch
>
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org