[WSS-40] WSSecurityEngine does not support chained certificates - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.6
Fix Version/s: 1.5.10, 1.6
Component/s: None
Labels:
None
Environment:
WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2

Description

My project, which is associated with the Grid, uses limited proxy certificates for digital signature. I.e., the signing application holds a user's permanent certificate, signed by a CA and a proxy certificate signed with the permanent certificate. The application signs a message using the proxy certificate and includes both the proxy and permanent certificates in the message header as a WS-Security direct reference to a BinarySecurityToken. The service has the CA certificate with which the user's permanent certficate was signed. Therefore, to establish trust, the service has to chain back from the proxy to the permanent certificate and then to the CA certificate.

WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the chain.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

client_keystore.jks
09/Nov/10 23:06
3 kB
Seumas Soltysik
server_keystore.jks
09/Nov/10 23:06
1 kB
Seumas Soltysik
wss40.patch
05/Oct/10 19:40
7 kB
Seumas Soltysik
wss40.patch.11.09.2010
09/Nov/10 23:06
12 kB
Seumas Soltysik
wss-40-test.patch
29/Sep/10 04:25
4 kB
Seumas Soltysik
wss40-trunk-revised.patch
09/Nov/10 17:49
8 kB
Colm O hEigeartaigh

Issue Links

is depended upon by

CXF-3152 Add support for processing a PKI Certificate Chain

Closed

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Guy Rixon

Votes:: 1 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Apr/06 15:43

Updated:: 02/May/13 02:29

Resolved:: 12/Nov/10 17:43