[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    Signature validation not querying in truststore/cacerts for
From:       Olve Hansen <olvesh () gmail ! com>
Date:       2008-11-29 15:50:58
Message-ID: 20748366.post () talk ! nabble ! com
[Download RAW message or body]


I am currently investigating a "bug" and I have patched the AbstractCrypto
class as described in my previous post
(http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200811.mbox/%3C20739755.post@talk.nabble.com%3E). \
 I can see during debugging that the patch works, as I find the alias of my
added key, and thus it must come from my own (non-default) keystore. This
led me one step further in the process, but I am now stopped again... 

During the signature processing of a message I find that the signature
validation doesn't even try to check in the truststore for the certificate
(getAliasForX509Cert only checks in the keystore), as the following
threaddump shows:
	  at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:214)
  at
org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:194)
  at
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:520)
  at
org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:498)
  at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:280)
  at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:85)
  at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:311)
  at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:228)
  at
org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor.validateMessage(Wss4jSecurityInterceptor.java:498)
  at
org.springframework.ws.soap.security.AbstractWsSecurityInterceptor.handleRequest(AbstractWsSecurityInterceptor.java:104)
 [snip]

I am of the opinion that public certificates of trusted parties should go
into the truststore, and not in the key-store, but WSS4J is unable to
support this organisation of stores.  

I see that checking both stores is done already getAliasForDN(..) via
getAlias(..). Are there any reasons why the X509 alias lookup methods
doesn't query the truststore/cacerts? 

I propose checking first in keystore for the getAliasForX509Cert(..) methods
as well. 


All of the getAliasForX509Cert(..)-methods checks for the alias only in the
keystore, not in the truststore (aka cacerts). I guess this should be done
symmetrically for all those methods,if it should be done at all that is.


I have tried this approach for the
org.apache.ws.security.components.crypto.CryptoBase#getAliasForX509Cert and
it works fine...

Anyone who has any thoughts about this?

BTW, this is done in WSS4J version 1.5.4, using Spring-WS version 1.5.5.


Regards, 
Olve Hansen
-- 
View this message in context: \
http://www.nabble.com/Signature-validation-not-querying-in-truststore-cacerts-for-certificate-alias-tp20748366p20748366.html
 Sent from the WSS4J mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]