Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-1058

Support WSS4J SIG_SUBJECT_CERT_CONSTRAINTS

    Details

      Description

      If no Subject DN Certificate Constraint has been configured for the case described here http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html, WSS4J emits the following warning:

      WARN - org.apache.wss4j.common.crypto.CryptoBase - No Subject DN Certificate Constraints were defined. This could be a security issue
      
      

      https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java#L310-L329

       

      I have made some changes to spring-ws-security, and tested with our own application, and verified that the warning goes away: https://github.com/spring-projects/spring-ws/pull/135

      The tests for spring-ws-security does not execute the part of WSS4J which performs this validation, and I am not sure how I should change them to actually test that setting the option is effective. Through debugging of the tests I have found that this if-block is executed:
      https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L776-L801
      And the method is returned from on line 799. The test executions never reach line 910, where the subject dn name is validated. I guess some tests involving certificate chains should be added, but I do not have the necessary level of expertise to create this.

      If someone with more in-depth knowledge of Spring WS could take a look on the pull-request, and see if things look sane. I'll be happy to do any necessary modifications.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              rune Rune Flobakk
            • Votes:
              4 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: