Bug 5757 - allow developer to bypass sending cert chain in secure message
: allow developer to bypass sending cert chain in secure message
Status: RESOLVED FIXED
: Java WS Security
Authentication
: 4.0.5
: PC Linux
: P3 normal
: 4.0.7
Assigned To:
: http://www-unix.mcs.anl.gov/~tfreeman...
:
:
:
  Show dependency treegraph
 
Reported: 2008-01-04 11:36 by
Modified: 2008-01-22 15:34 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-01-04 11:36:50
(see URL for patch)

Don't send proxy chain 

  - the deployment expects this in the secmsg signing envelope:
   
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";

  - Globus' use of WSS4J outputs this on the wire: 

   
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";

  - so the deployment exepected X509v3 which is a single cert, Globus uses
chains with X509PKIPathv1

  - boils down to using this in the particular call: "((X509Security)
bstToken).setX509Certificate(certs[0]);" instead of "((PKIPathSecurity)
bstToken).setX509Certificates(certs, false, crypto);"

  - Introduces Constants.GSI_SEC_MSG_SINGLECERT --> Boolean.TRUE
------- Comment #1 From 2008-01-22 15:34:37 -------
Patch committed to trunk and branch. Thanks Tim.