You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by we...@apache.org on 2004/03/21 19:04:34 UTC
cvs commit: ws-fx/wss4j/src/org/apache/ws/security/message WSSignEnvelope.java WSEncryptBody.java
werner 2004/03/21 10:04:34
Modified: wss4j/src/org/apache/ws/security/message WSSignEnvelope.java
WSEncryptBody.java
Log:
Disable some WSS4J key identifier variants that could introduce
security risks (forge of certificate).
Revision Changes Path
1.11 +24 -24 ws-fx/wss4j/src/org/apache/ws/security/message/WSSignEnvelope.java
Index: WSSignEnvelope.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/WSSignEnvelope.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- WSSignEnvelope.java 21 Mar 2004 14:40:40 -0000 1.10
+++ WSSignEnvelope.java 21 Mar 2004 18:04:34 -0000 1.11
@@ -345,18 +345,18 @@
false);
wsDocInfo.setBst(bstToken.getElement());
break;
- case WSConstants.ISSUER_SERIAL_DIRECT : {
- X509Security x509token = new X509Security(doc);
- x509token.setX509Certificate(certs[0]);
- x509token.setID(certUri);
- WSSecurityUtil.prependChildElement(
- doc,
- securityHeader,
- x509token.getElement(),
- false);
- wsDocInfo.setBst(x509token.getElement());
- // fall thru
- }
+// case WSConstants.ISSUER_SERIAL_DIRECT : {
+// X509Security x509token = new X509Security(doc);
+// x509token.setX509Certificate(certs[0]);
+// x509token.setID(certUri);
+// WSSecurityUtil.prependChildElement(
+// doc,
+// securityHeader,
+// x509token.getElement(),
+// false);
+// wsDocInfo.setBst(x509token.getElement());
+// // fall thru
+// }
case WSConstants.ISSUER_SERIAL :
XMLX509IssuerSerial data =
new XMLX509IssuerSerial(doc, certs[0]);
@@ -365,18 +365,18 @@
case WSConstants.X509_KEY_IDENTIFIER :
secRef.setKeyIdentifier(certs[0]);
break;
- case WSConstants.SKI_KEY_IDENTIFIER_DIRECT : {
- X509Security x509token = new X509Security(doc);
- x509token.setX509Certificate(certs[0]);
- x509token.setID(certUri);
- WSSecurityUtil.prependChildElement(
- doc,
- securityHeader,
- x509token.getElement(),
- false);
- wsDocInfo.setBst(x509token.getElement());
- // fall thru
- }
+// case WSConstants.SKI_KEY_IDENTIFIER_DIRECT : {
+// X509Security x509token = new X509Security(doc);
+// x509token.setX509Certificate(certs[0]);
+// x509token.setID(certUri);
+// WSSecurityUtil.prependChildElement(
+// doc,
+// securityHeader,
+// x509token.getElement(),
+// false);
+// wsDocInfo.setBst(x509token.getElement());
+// // fall thru
+// }
case WSConstants.SKI_KEY_IDENTIFIER :
secRef.setKeyIdentifierSKI(certs[0], crypto);
break;
1.10 +24 -24 ws-fx/wss4j/src/org/apache/ws/security/message/WSEncryptBody.java
Index: WSEncryptBody.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/WSEncryptBody.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- WSEncryptBody.java 18 Mar 2004 20:13:08 -0000 1.9
+++ WSEncryptBody.java 21 Mar 2004 18:04:34 -0000 1.10
@@ -407,34 +407,34 @@
secToken.setKeyIdentifier(remoteCert);
// build a key id class??
break;
- case WSConstants.SKI_KEY_IDENTIFIER_DIRECT :
- {
- X509Security x509token = new X509Security(doc);
- x509token.setX509Certificate(remoteCert);
- x509token.setID(certUri);
- WSSecurityUtil.prependChildElement(
- doc,
- wsseSecurity,
- x509token.getElement(),
- false);
- // fall thru
- }
+// case WSConstants.SKI_KEY_IDENTIFIER_DIRECT :
+// {
+// X509Security x509token = new X509Security(doc);
+// x509token.setX509Certificate(remoteCert);
+// x509token.setID(certUri);
+// WSSecurityUtil.prependChildElement(
+// doc,
+// wsseSecurity,
+// x509token.getElement(),
+// false);
+// // fall thru
+// }
case WSConstants.SKI_KEY_IDENTIFIER :
secToken.setKeyIdentifierSKI(remoteCert, crypto);
break;
- case WSConstants.ISSUER_SERIAL_DIRECT :
- {
- X509Security x509token = new X509Security(doc);
- x509token.setX509Certificate(remoteCert);
- x509token.setID(certUri);
- WSSecurityUtil.prependChildElement(
- doc,
- wsseSecurity,
- x509token.getElement(),
- false);
- // fall thru
- }
+// case WSConstants.ISSUER_SERIAL_DIRECT :
+// {
+// X509Security x509token = new X509Security(doc);
+// x509token.setX509Certificate(remoteCert);
+// x509token.setID(certUri);
+// WSSecurityUtil.prependChildElement(
+// doc,
+// wsseSecurity,
+// x509token.getElement(),
+// false);
+// // fall thru
+// }
case WSConstants.ISSUER_SERIAL :
secToken.setX509IssuerSerial(
new XMLX509IssuerSerial(doc, remoteCert));
Re: cvs commit: ws-fx/wss4j/src/org/apache/ws/security/message WSSignEnvelope.java WSEncryptBody.java
Posted by Werner Dittmann <We...@t-online.de>.
All,
this checkin disable some specific WSS4J variants of key identification.
These
variants could introduce security risks. This was pointed out during an
e-mail
discussion we had with Merlin.
hese two variants are "embedded certificate
referenced via Issuer Serial" (IssuerSerialDirect) and "embedded certificate
referenced via Subject KEy Identifer" (SKIKeyIndentifierDirect). All others
are not affected.
Also the test for these cases were disabled.
Regards,
Werner