You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Thilina Buddhika (JIRA)" <ji...@apache.org> on 2010/12/21 11:47:00 UTC
[jira] Commented: (RAMPART-266) Rampart module fails validating
signing certificate when security provider is Bouncy Castle
[ https://issues.apache.org/jira/browse/RAMPART-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12973552#action_12973552 ]
Thilina Buddhika commented on RAMPART-266:
------------------------------------------
Hi Ricardo,
Yes. Even though this is fixed in WSS4J, it is not reflected in Rampart. Because PolicyBasedResultsValidator uses its custom implementation to verify the trust roots.
So the work around is to implement a custom PolicyBasedResultsValidator and override the default one. More information about this can be found here[1].
Thanks,
Thilina
[1] - http://blog.rampartfaq.com/2009/08/can-we-have-per-service-policy-based.html
> Rampart module fails validating signing certificate when security provider is Bouncy Castle
> -------------------------------------------------------------------------------------------
>
> Key: RAMPART-266
> URL: https://issues.apache.org/jira/browse/RAMPART-266
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.4
> Reporter: Ricardo Tercero Lozano
> Assignee: Ruchith Udayanga Fernando
>
> I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer from the certificate to validate it.
> String subjectString = cert.getSubjectDN().getName();
> String issuerString = cert.getIssuerDN().getName();
> BigInteger issuerSerial = cert.getSerialNumber();
> when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case indeed).
> On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.
> String subjectString = cert.getSubjectX500Principal().getName();
> String issuerString = cert.getIssuerX500Principal().getName();
> BigInteger issuerSerial = cert.getSerialNumber();
> A rampart configuration to use Bouncy Castle as provider could be:
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> This issue is probable related to RAMPART-226, as it is using IBM security provider.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org