Details
Description
My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.
WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.
Attachments
Attachments
Issue Links
- is depended upon by
-
CXF-3152 Add support for processing a PKI Certificate Chain
- Closed
WSSecurityEngine.processSecurityHeader() returns a Vector of WSSecurityEngineResult objects. One of those WSSecurityEngineResult objects does indeed only contain the root certificate of the CertificateChain which is the Certificate used to sign the message. However, there is another WSSecurityEngineResult object in the Vector that contains the CertificateChain from the BST. While this chain is not validated against the local keystore it seems to me that this can be easily done in your code by first getting the CertificateChain from the WSSecurityEngineResult and then calling Crypto.validateCertPath(certs). It would look something like this:
Vector certsResults = new Vector();
certsResults =
WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.BST, certsResults);
if (!certsResults.isEmpty()) {
{ WSSecurityEngineResult result = (WSSecurityEngineResult) certsResults.get(i); X509Certificate[] certs = (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); reqData.getSigCrypto().validateCertPath(certs); }for (int i = 0; i < certsResults.size(); i++)
}
Would this provide the type of validation you require?