Bug 5757 – allow developer to bypass sending cert chain in secure message

Bug 5757 - allow developer to bypass sending cert chain in secure message

Summary:

allow developer to bypass sending cert chain in secure message

Status:	RESOLVED FIXED

Product:	Java WS Security
Component:	Authentication
Version:	4.0.5
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	4.0.7
Assigned To:	Rachana Ananthakrishnan

URL:	http://www-unix.mcs.anl.gov/~tfreeman...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-01-04 11:36 by Tim Freeman
Modified:	2008-01-22 15:34 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tim Freeman 2008-01-04 11:36:50

(see URL for patch)

Don't send proxy chain 

  - the deployment expects this in the secmsg signing envelope:
   
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";

  - Globus' use of WSS4J outputs this on the wire: 

   
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";

  - so the deployment exepected X509v3 which is a single cert, Globus uses
chains with X509PKIPathv1

  - boils down to using this in the particular call: "((X509Security)
bstToken).setX509Certificate(certs[0]);" instead of "((PKIPathSecurity)
bstToken).setX509Certificates(certs, false, crypto);"

  - Introduces Constants.GSI_SEC_MSG_SINGLECERT --> Boolean.TRUE

------- Comment #1 From Rachana Ananthakrishnan 2008-01-22 15:34:37 -------

Patch committed to trunk and branch. Thanks Tim.