[jira] Updated: (WSS-40) WSSecurityEngine does not support chained certificates

Tue, 09 Nov 2010 15:08:50 -0800 

     [ 
https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Seumas Soltysik updated WSS-40:
-------------------------------

    Attachment: server_keystore.jks
                client_keystore.jks
                wss40.patch.11.09.2010

Colm,
Thanks for the patch. I have taken your patch and added additional files to 
test this feature and created a new patch wss40.patch.11.09.2010. I originally 
created a patch containing the binary keystore files but when I tried applying 
the patch to test it, it balked at applying the binary data. Rather than fight 
it I have simply attached the binary keystores separately. These files go in 
the trunk/keys directory.
The patch looks fine and my test passes.

Also getting 1.5.10 by the end of the month sounds fine.

> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
>                 Key: WSS-40
>                 URL: https://issues.apache.org/jira/browse/WSS-40
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.6
>         Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
>            Reporter: Guy Rixon
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>
>         Attachments: client_keystore.jks, server_keystore.jks, 
> wss-40-test.patch, wss40-trunk-revised.patch, wss40.patch, 
> wss40.patch.11.09.2010
>
>
> My project, which is associated with the Grid, uses limited proxy 
> certificates for digital signature. I.e., the signing application holds a 
> user's permanent certificate, signed by a CA and a proxy certificate signed 
> with the permanent certificate. The application signs a message using the 
> proxy certificate and includes both the proxy and permanent certificates in 
> the message header as a WS-Security direct reference to a 
> BinarySecurityToken. The service has the CA certificate with which the user's 
> permanent certficate was signed. Therefore, to establish trust, the service 
> has to chain back from the proxy to the permanent certificate and then to the 
> CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine 
> fails when checking the chain of trust. 
> WSSecurityEngine..processSecurityHeader() only adds one certificate to the 
> results passed back to WSDoAllReceiver; it ignores the intermediate 
> certificate in the chain.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to