[jira] Commented: (WSS-40) WSSecurityEngine does not support chained certificates

Fri, 12 Nov 2010 09:44:37 -0800 

    [ 
https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12931461#action_12931461
 ] 

Colm O hEigeartaigh commented on WSS-40:
----------------------------------------


I committed a port to 1_5_x-fixes. I'm going to mark this issue as fixed. I'll 
commit a fix to CXF next week.

Colm.

> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
>                 Key: WSS-40
>                 URL: https://issues.apache.org/jira/browse/WSS-40
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.6
>         Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
>            Reporter: Guy Rixon
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.5.10, 1.6
>
>         Attachments: client_keystore.jks, server_keystore.jks, 
> wss-40-test.patch, wss40-trunk-revised.patch, wss40.patch, 
> wss40.patch.11.09.2010
>
>
> My project, which is associated with the Grid, uses limited proxy 
> certificates for digital signature. I.e., the signing application holds a 
> user's permanent certificate, signed by a CA and a proxy certificate signed 
> with the permanent certificate. The application signs a message using the 
> proxy certificate and includes both the proxy and permanent certificates in 
> the message header as a WS-Security direct reference to a 
> BinarySecurityToken. The service has the CA certificate with which the user's 
> permanent certficate was signed. Therefore, to establish trust, the service 
> has to chain back from the proxy to the permanent certificate and then to the 
> CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine 
> fails when checking the chain of trust. 
> WSSecurityEngine..processSecurityHeader() only adds one certificate to the 
> results passed back to WSDoAllReceiver; it ignores the intermediate 
> certificate in the chain.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to