[jira] Updated: (WSS-40) WSSecurityEngine does not support chained certificates

Tue, 05 Oct 2010 12:42:00 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Seumas Soltysik updated WSS-40:
-------------------------------

    Attachment: wss40.patch

This patch is an official patch for wss40. To test this patch, I created a 
certificate chain as follows:

Root CA -> Intermediary CA -> User Cert

client_keystore.jks contains a chain consisting of Intermediary CA -> User Cert.

server_keystore contains the Root CA.

The test I have included uses the User Cert to sign a message and includes the 
chain from the client keystore as part of the BST. This message is then 
validated using the server keystore.

> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
>                 Key: WSS-40
>                 URL: https://issues.apache.org/jira/browse/WSS-40
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.6
>         Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
>            Reporter: Guy Rixon
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>
>         Attachments: wss-40-test.patch, wss40.patch
>
>
> My project, which is associated with the Grid, uses limited proxy 
> certificates for digital signature. I.e., the signing application holds a 
> user's permanent certificate, signed by a CA and a proxy certificate signed 
> with the permanent certificate. The application signs a message using the 
> proxy certificate and includes both the proxy and permanent certificates in 
> the message header as a WS-Security direct reference to a 
> BinarySecurityToken. The service has the CA certificate with which the user's 
> permanent certficate was signed. Therefore, to establish trust, the service 
> has to chain back from the proxy to the permanent certificate and then to the 
> CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine 
> fails when checking the chain of trust. 
> WSSecurityEngine..processSecurityHeader() only adds one certificate to the 
> results passed back to WSDoAllReceiver; it ignores the intermediate 
> certificate in the chain.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
For additional commands, e-mail: wss4j-dev-h...@ws.apache.org

Reply via email to