Add support for WSS4J subject cert constraints #1124
Description
Rune Flobakk opened SWS-1058 and commented
If no Subject DN Certificate Constraint has been configured for the case described here http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html, WSS4J emits the following warning:
WARN - org.apache.wss4j.common.crypto.CryptoBase - No Subject DN Certificate Constraints were defined. This could be a security issue
I have made some changes to spring-ws-security, and tested with our own application, and verified that the warning goes away: #135
The tests for spring-ws-security does not execute the part of WSS4J which performs this validation, and I am not sure how I should change them to actually test that setting the option is effective. Through debugging of the tests I have found that this if-block is executed:
https://github.com/apache/wss4j/blob/wss4j-2.2.0/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L776-L801
And the method is returned from on line 799. The test executions never reach line 910, where the subject dn name is validated. I guess some tests involving certificate chains should be added, but I do not have the necessary level of expertise to create this.
If someone with more in-depth knowledge of Spring WS could take a look on the pull-request, and see if things look sane. I'll be happy to do any necessary modifications.
Affects: 3.0.7
Reference URL: http://koenserneels.blogspot.com/2013/09/ws-security-using-binarysecuritytoken.html
Referenced from: pull request #135
4 votes, 1 watchers