You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Guy Rixon (JIRA)" <ji...@apache.org> on 2006/04/07 09:45:28 UTC
[jira] Created: (WSS-40) WSSecurityEngine does not support chained
certificates
WSSecurityEngine does not support chained certificates
------------------------------------------------------
Key: WSS-40
URL: http://issues.apache.org/jira/browse/WSS-40
Project: WSS4J
Type: Bug
Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
Reporter: Guy Rixon
Assigned to: Davanum Srinivas
My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-40) WSSecurityEngine does not support chained
certificates
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Davanum Srinivas updated WSS-40:
--------------------------------
Assignee: (was: Davanum Srinivas)
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-40) WSSecurityEngine does not support chained
certificates
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned WSS-40:
--------------------------------------
Assignee: Colm O hEigeartaigh
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-40) WSSecurityEngine does not support chained
certificates
Posted by "Seumas Soltysik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seumas Soltysik updated WSS-40:
-------------------------------
Attachment: wss-40-test.patch
Hi Colm,
Thanks for the response. Here is what I am thinking for a testcase and for wss4j modifications.
1)Create a Certificate chain where A is signed by B which is signed by a CA.
2)Create a keystore containing only the CA
3)Create a message that is signed by Cert A and includes Cert A and Cert B within the BST using the PKIPath ValueType.
4)Call WSSecEngine.processSecurityHeader() on the signed message.
This should test the above scenario where the server keystore only has the CA and WSS4J is able to validate the CertChain against the CA in the keystore.
What do you think?
I am attaching what I think are the necessary changes to WSS4J which will validate the Cert chain when the ValueType for the BST is set to PKIPath.
I will put together a test following the above outline on the trunk as a start.
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
> Attachments: wss-40-test.patch
>
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-40) WSSecurityEngine does not support chained
certificates
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-40:
-----------------------------------
Fix Version/s: 1.6
Affects Version/s: 1.5.6
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
> Fix For: 1.6
>
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-40) WSSecurityEngine does not support
chained certificates
Posted by "Seumas Soltysik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914322#action_12914322 ]
Seumas Soltysik commented on WSS-40:
------------------------------------
WSSecurityEngine.processSecurityHeader() returns a Vector of WSSecurityEngineResult objects. One of those WSSecurityEngineResult objects does indeed only contain the root certificate of the CertificateChain which is the Certificate used to sign the message. However, there is another WSSecurityEngineResult object in the Vector that contains the CertificateChain from the BST. While this chain is not validated against the local keystore it seems to me that this can be easily done in your code by first getting the CertificateChain from the WSSecurityEngineResult and then calling Crypto.validateCertPath(certs). It would look something like this:
Vector certsResults = new Vector();
certsResults =
WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.BST, certsResults);
if (!certsResults.isEmpty()) {
for (int i = 0; i < certsResults.size(); i++) {
WSSecurityEngineResult result =
(WSSecurityEngineResult) certsResults.get(i);
X509Certificate[] certs = (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
reqData.getSigCrypto().validateCertPath(certs);
}
}
Would this provide the type of validation you require?
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-40) WSSecurityEngine does not support
chained certificates
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12915353#action_12915353 ]
Colm O hEigeartaigh commented on WSS-40:
----------------------------------------
Hi Seumas,
That looks like it could work. Could you try writing a test to see if your approach would work? For example, see the test "testSignatureDirectReferenceCACert" in this file (only available on trunk):
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java?view=markup
This test sends a certificate chain in the header. You could adapt this test for the 1_5_x-fixes branch.
Colm.
> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
> Key: WSS-40
> URL: https://issues.apache.org/jira/browse/WSS-40
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.6
> Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
> Reporter: Guy Rixon
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org