ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-18) WSSecurityEngine can't deal with signed certs
Date Mon, 03 Oct 2011 09:04:39 GMT

     [ https://issues.apache.org/jira/browse/WSS-18?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-18.
----------------------------------

    
> WSSecurityEngine can't deal with signed certs
> ---------------------------------------------
>
>                 Key: WSS-18
>                 URL: https://issues.apache.org/jira/browse/WSS-18
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Thilo Frotscher
>            Assignee: Davanum Srinivas
>            Priority: Critical
>
> I think that I found a bug in class WSSecurityEngine, method
> handleEncryptedKey(Element, CallbackHandler, Crypto, Private Key)
>  (appox at line 1042)
>  
> Current code:
> =========== 
> else if (secRef.containsKeyIdentifier()) {
>     X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
>     if (certs == null || certs.length !=1 || certs[0] == null) {
>       throw new WSSecurityException...
>       ...
>     }
>  
> If I use certs that were signed by a CA, the array "certs" contains more than one element,
e.g. the user's cert plus the cert of the CA. 
> In this case certs.length != 1 and an exception is thrown. However, I don't think that
this is an error. In my opinion the line should read
>     if (certs == null || certs.length < 1 || certs[0] == null) {
>  
> i.e. throw an exception if there is no cert in the array - don't throw an exception if
there's more than one cert in the array.
> I had to patch WSS4J 1.0.0 this way to make my application work. Please consider to change
this for the next official release.
> Thanks.
> Thilo

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message