Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support WSS4J SIG_SUBJECT_CERT_CONSTRAINTS [SWS-1058] #1124

Open
gregturn opened this issue Mar 11, 2019 · 0 comments
Open

Support WSS4J SIG_SUBJECT_CERT_CONSTRAINTS [SWS-1058] #1124

gregturn opened this issue Mar 11, 2019 · 0 comments

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Mar 11, 2019

Rune Flobakk opened SWS-1058 and commented

If no Subject DN Certificate Constraint has been configured for the case described here http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html, WSS4J emits the following warning:

WARN - org.apache.wss4j.common.crypto.CryptoBase - No Subject DN Certificate Constraints were defined. This could be a security issue

https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java#L310-L329

 

I have made some changes to spring-ws-security, and tested with our own application, and verified that the warning goes away: #135

The tests for spring-ws-security does not execute the part of WSS4J which performs this validation, and I am not sure how I should change them to actually test that setting the option is effective. Through debugging of the tests I have found that this if-block is executed:
https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L776-L801
And the method is returned from on line 799. The test executions never reach line 910, where the subject dn name is validated. I guess some tests involving certificate chains should be added, but I do not have the necessary level of expertise to create this.

If someone with more in-depth knowledge of Spring WS could take a look on the pull-request, and see if things look sane. I'll be happy to do any necessary modifications.


Affects: 3.0.7

Reference URL: http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html

Referenced from: pull request #135

4 votes, 1 watchers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.