ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] Commented: (WSS-40) WSSecurityEngine does not support chained certificates
Date Mon, 08 Nov 2010 11:06:22 GMT


Colm O hEigeartaigh commented on WSS-40:

Not yet sorry....I've been working on the CXF port to use WSS4J 1.6. I'll review it in the
next few days and get back to you asap.


> WSSecurityEngine does not support chained certificates
> ------------------------------------------------------
>                 Key: WSS-40
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>    Affects Versions: 1.5.6
>         Environment: WSS4J 1.0.0, Axis 1.2.1, Sun JDK 1.4.2
>            Reporter: Guy Rixon
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.6
>         Attachments: wss-40-test.patch, wss40.patch
> My project, which is associated with the Grid, uses limited proxy certificates for digital
signature. I.e., the signing application holds a user's permanent certificate, signed by a
CA and a proxy certificate signed with the permanent certificate. The application signs a
message using the proxy certificate and includes both the proxy and permanent certificates
in the message header as a WS-Security direct reference to a BinarySecurityToken. The service
has the CA certificate with which the user's permanent certficate was signed. Therefore, to
establish trust, the service has to chain back from the proxy to the permanent certificate
and then to the CA certificate.
> WSSignEnvelope includes both certificates correctly but WSSecurityEngine fails when checking
the chain of trust. WSSecurityEngine..processSecurityHeader() only adds one certificate to
the results passed back to WSDoAllReceiver; it ignores the intermediate certificate in the

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message