[jira] Commented: (WSS-40) WSSecurityEngine does not support chained certificates

Mon, 27 Sep 2010 09:26:57 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12915353#action_12915353
 ] 

Colm O hEigeartaigh commented on WSS-40:
----------------------------------------


Hi Seumas,

That looks like it could work. Could you try writing a test to see if your 
approach would work? For example, see the test 
"testSignatureDirectReferenceCACert" in this file (only available on trunk):

http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java?view=markup

This test sends a certificate chain in the header. You could adapt this test 
for the 1_5_x-fixes branch.

Colm.

> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
>                 Key: WSS-40
>                 URL: https://issues.apache.org/jira/browse/WSS-40
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.6
>         Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
>            Reporter: Guy Rixon
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>
>
> My project, which is associated with the Grid, uses limited proxy 
> certificates for digital signature. I.e., the signing application holds a 
> user's permanent certificate, signed by a CA and a proxy certificate signed 
> with the permanent certificate. The application signs a message using the 
> proxy certificate and includes both the proxy and permanent certificates in 
> the message header as a WS-Security direct reference to a 
> BinarySecurityToken. The service has the CA certificate with which the user's 
> permanent certficate was signed. Therefore, to establish trust, the service 
> has to chain back from the proxy to the permanent certificate and then to the 
> CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine 
> fails when checking the chain of trust. 
> WSSecurityEngine..processSecurityHeader() only adds one certificate to the 
> results passed back to WSDoAllReceiver; it ignores the intermediate 
> certificate in the chain.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
For additional commands, e-mail: wss4j-dev-h...@ws.apache.org

Reply via email to