[jira] Commented: (WSS-40) WSSecurityEngine does not support chained certificates

Wed, 20 Oct 2010 09:28:53 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-40?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12923038#action_12923038
 ] 

Colm O hEigeartaigh commented on WSS-40:
----------------------------------------


Hi Seumas,

Sorry I haven't had time yet to look at it, as I wanted to finish the JSR105 
port on trunk. This is almost done, so I will take a look at it next week. I 
want to review trust verification in general, and incorporate your patch as 
part of this review.

Just to clarify, are you after a fix for the 1.5.x branch, or only trunk?

Colm.

> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>
>                 Key: WSS-40
>                 URL: https://issues.apache.org/jira/browse/WSS-40
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.6
>         Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
>            Reporter: Guy Rixon
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>
>         Attachments: wss-40-test.patch, wss40.patch
>
>
> My project, which is associated with the Grid, uses limited proxy 
> certificates for digital signature. I.e., the signing application holds a 
> user's permanent certificate, signed by a CA and a proxy certificate signed 
> with the permanent certificate. The application signs a message using the 
> proxy certificate and includes both the proxy and permanent certificates in 
> the message header as a WS-Security direct reference to a 
> BinarySecurityToken. The service has the CA certificate with which the user's 
> permanent certficate was signed. Therefore, to establish trust, the service 
> has to chain back from the proxy to the permanent certificate and then to the 
> CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine 
> fails when checking the chain of trust. 
> WSSecurityEngine..processSecurityHeader() only adds one certificate to the 
> results passed back to WSDoAllReceiver; it ignores the intermediate 
> certificate in the chain.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
For additional commands, e-mail: wss4j-dev-h...@ws.apache.org

Reply via email to