Support WSS4J SIG_SUBJECT_CERT_CONSTRAINTS [SWS-1058]

[gregturn]

Rune Flobakk opened SWS-1058 and commented

If no Subject DN Certificate Constraint has been configured for the case described here http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html, WSS4J emits the following warning:

WARN - org.apache.wss4j.common.crypto.CryptoBase - No Subject DN Certificate Constraints were defined. This could be a security issue

https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java#L310-L329

 

I have made some changes to spring-ws-security, and tested with our own application, and verified that the warning goes away: #135

The tests for spring-ws-security does not execute the part of WSS4J which performs this validation, and I am not sure how I should change them to actually test that setting the option is effective. Through debugging of the tests I have found that this if-block is executed:
https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L776-L801
And the method is returned from on line 799. The test executions never reach line 910, where the subject dn name is validated. I guess some tests involving certificate chains should be added, but I do not have the necessary level of expertise to create this.

If someone with more in-depth knowledge of Spring WS could take a look on the pull-request, and see if things look sane. I'll be happy to do any necessary modifications.

---

Affects: 3.0.7

Reference URL: http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html

Referenced from: pull request #135

4 votes, 1 watchers