[
https://issues.apache.org/jira/browse/WSS-504?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Roland Mueller updated WSS-504:
-------------------------------
Description:
Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the
SignatureTrustValidator class "No Subject DN Certificate Constraints were
defined. This could be a security issue".
The certificate in my request is contained in the keystore and according to the
SIG_SUBJECT_CERT_CONSTRAINTS explanation in the WSHandlerConstants class "These
constraints are not used when the certificate is contained in the keystore
(direct trust).". Therefore I did not define any constraints, the corresponding
object is null.
The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced
the behavior change, now also calling the SignatureTrustValidator.matches(...)
constraints validation function where it previously did not, and according to
above description, should not.
was:
Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the
SignatureTrustValidator class "No Subject DN Certificate Constraints were
defined. This could be a security issue".
The certificate in my request is contained in the keystore and according to the
SIG_SUBJECT_CERT_CONSTRAINTS explanation in the WSHandlerConstants class "These
constraints are not used when the certificate is contained in the keystore
(direct trust)."
The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced
the behavior change, now also calling the SignatureTrustValidator.matches(...)
constraints validation function where it previously did not, and according to
above description, should not.
Summary: False control flow leading to warning "No Subject DN
Certificate Constraints were defined. This could be a security issue" (was:
False warning "No Subject DN Certificate Constraints were defined. This could
be a security issue")
> False control flow leading to warning "No Subject DN Certificate Constraints
> were defined. This could be a security issue"
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: WSS-504
> URL: https://issues.apache.org/jira/browse/WSS-504
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.12, 1.6.15
> Reporter: Roland Mueller
> Assignee: Colm O hEigeartaigh
>
> Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the
> SignatureTrustValidator class "No Subject DN Certificate Constraints were
> defined. This could be a security issue".
> The certificate in my request is contained in the keystore and according to
> the SIG_SUBJECT_CERT_CONSTRAINTS explanation in the WSHandlerConstants class
> "These constraints are not used when the certificate is contained in the
> keystore (direct trust).". Therefore I did not define any constraints, the
> corresponding object is null.
> The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796
> introduced the behavior change, now also calling the
> SignatureTrustValidator.matches(...) constraints validation function where it
> previously did not, and according to above description, should not.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
