Add WCF compatability for DOMX509IssuerSerial#39
Add WCF compatability for DOMX509IssuerSerial#39free-ice wants to merge 3 commits intoapache:masterfrom free-ice:master
Conversation
As far wack as 2007 instances of incompatability between wss4j and WCF
stack can be found. Usually the IIS stack trace contained :
The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'
RFC 2253 seems to provide two approaches for escaping disallowed
characters.
Java seems to support both appaches using \ or using "".
This is supported by the Unit test DmCommaDelimiterSymmetryTest
WCF seems to only support using ""
This is supported by the numerious blog and stackoverflow questions
about this error.
This patch changes the Issuers X509Principal name format to the "" delimited
format. It has simple unit tests and also another test that uses the JDK
truststore and test that Java interprets the Comma delimted RDN the
same as the \ delimited format.
Originally I had considered making this change optional, because of
other untested tech stacks. At this point how to do that cleanly
alludes me but I would be happy to do so with some guidance.
free-ice
changed the title
|
@coheigea Just following up, I realize personal time is precious so any time reviewing this PR would be much appreciated ! Thanks |
|
Looks OK to me, but I think we should not enable this behaviour by default, but via a configuration switch. |
|
Will the xmlsec update be released soon ? Since there is no release artifact for that I have been working in the 2_3_fix branch which I can build and move over the changes, which requires care. For example I moved test SoapUtils from the security-stax module to the security-common module and right now to ensure I don't break the code when moved I have to leave the code in an intermediate state of refactoring ie That way I can inline the super when I am done in the HEAD and pickup all uses in case a new usage is added. |
|
Ideally there shouldn't be any changes to XML Security - if you want this fix backported to WSS4J 2.3.x. I am going to call a vote on WSS4J 2.3.x tomorrow by the way. |
|
No backport, my goal is just to get this feature intergrated, besides I have a modified version of spring-ws also to use this feature. The code has been reformatted between the two branches and with the move of the SOAPUtil tracking modified files gets a little harder. Would the 2.4.x branch have a released version of xmlsec, maybe I should be targeting that instead. |
|
The 2_3_x-fixes branch has a stable version of XML Security if that's what you want |
|
Closing, to open Draft PR against 2_3_x branch. |
2 participants
As far back as 2007 instances of incompatability between wss4j and WCF
stack can be found. Usually the IIS stack trace contained :
The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'
RFC 2253 seems to provide two approaches for escaping disallowed
characters.
Java seems to support both approaches using \ or using "".
This is supported by the Unit test DmCommaDelimiterSymmetryTest
WCF seems to only support using ""
This is supported by the numerious blog and stackoverflow questions
about this error.
This patch changes the Issuers X509Principal name format to the "" delimited
format. It has simple unit tests and also another test that uses the JDK
truststore and test that Java interprets the Comma delimted RDN the
same as the \ delimited format.
This patch was originally against the 2_3_x-fixes and has mainly been tested under Java 8,
and against both a test and production WCF system.
Originally I had considered making this change optional, because of
other untested tech stacks. At this point how to do that cleanly
alludes me but I would be happy to do so with some guidance.