ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roland Mueller (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WSS-504) False control flow leading to warning "No Subject DN Certificate Constraints were defined. This could be a security issue"
Date Wed, 18 Jun 2014 12:36:04 GMT

     [ https://issues.apache.org/jira/browse/WSS-504?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Roland Mueller updated WSS-504:
-------------------------------

    Description: 
Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the SignatureTrustValidator
class "No Subject DN Certificate Constraints were defined. This could be a security issue".
The certificate in my request is contained in the keystore and according to the SIG_SUBJECT_CERT_CONSTRAINTS
explanation in the WSHandlerConstants class "These constraints are not used when the certificate
is contained in the keystore (direct trust).". Therefore I did not define any constraints,
the corresponding object is null.
The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced the behavior
change, now also calling the SignatureTrustValidator.matches(...) constraints validation function
where it previously did not, and according to above description, should not.

  was:
Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the SignatureTrustValidator
class "No Subject DN Certificate Constraints were defined. This could be a security issue".
The certificate in my request is contained in the keystore and according to the SIG_SUBJECT_CERT_CONSTRAINTS
explanation in the WSHandlerConstants class "These constraints are not used when the certificate
is contained in the keystore (direct trust)."
The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced the behavior
change, now also calling the SignatureTrustValidator.matches(...) constraints validation function
where it previously did not, and according to above description, should not.

        Summary: False control flow leading to warning "No Subject DN Certificate Constraints
were defined. This could be a security issue"  (was: False warning "No Subject DN Certificate
Constraints were defined. This could be a security issue")

> False control flow leading to warning "No Subject DN Certificate Constraints were defined.
This could be a security issue"
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-504
>                 URL: https://issues.apache.org/jira/browse/WSS-504
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.12, 1.6.15
>            Reporter: Roland Mueller
>            Assignee: Colm O hEigeartaigh
>
> Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the SignatureTrustValidator
class "No Subject DN Certificate Constraints were defined. This could be a security issue".
> The certificate in my request is contained in the keystore and according to the SIG_SUBJECT_CERT_CONSTRAINTS
explanation in the WSHandlerConstants class "These constraints are not used when the certificate
is contained in the keystore (direct trust).". Therefore I did not define any constraints,
the corresponding object is null.
> The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced the behavior
change, now also calling the SignatureTrustValidator.matches(...) constraints validation function
where it previously did not, and according to above description, should not.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message