You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by Yevgeny Rouban <Ye...@gmail.com> on 2006/06/09 15:34:15 UTC

KeyInfo.KeyName became not supported

Hello.

In older WSS4J 1.1 version I have encountered a bug in handling
Security.EncryptedKey.KeyInfo.KeyName element. Alias for the specified
DN was found as if it were an IssuerName that had no SerialNumber
(getAliasForX509Cert was called). But the KeyName element specifies a
SubjectName of the certificate.

The bug was in the
org.apache.ws.security.WSSecurityEngine.handleEncryptedKey method.
This. bug was moved to the latest version of the
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey
method. Then the code was commented out with the following comment by
Werner:
         /*
         * The following code is somewhat strange: the called crypto method gets
         * the keyname and searches for a certificate with an issuer's
name that is
         * equal to this keyname. No serialnumber is used - IMHO this does
         * not identifies a certificate. In addition neither the WSS4J
encryption
         * nor signature methods use this way to identify a
certificate. Because of that
         * the next lines of code are disabled.
         */
//                } else if (secRef.containsKeyName()) {
//                    alias =
crypto.getAliasForX509Cert(secRef.getKeyNameValue());
//                    if (log.isDebugEnabled()) {
//                        log.debug("KeyName alias: " + alias);
//                    }

http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?r1=344987&r2=358557&pathrev=386031&diff_format=h

I would suggest to fix this bug by replacing the call to
crypto.getAliasForX509Cert with a call to crypto.getAliasesForDN and
choosing one alias (the first one or one which has a private key in
keystore).

I found this bug when created an Apache web client for a Bea WebLogic
8.1 web service. The service responded with an encrypted message which
referred to the clients certificate using KeyName keyInfo. I did not
find a way to configure the service to use another keyInfo. So it
would be great to have this bug fixed in WSS4J. Are there any ways for
WSS4J to handle KeyName?

Thanks.
-- 
Yevgeny Rouban
INTEL Middleware Products Division

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org