WSSecurityEngine can't deal with signed certs
---------------------------------------------
Key: WSS-18
URL: http://issues.apache.org/jira/browse/WSS-18
Project: WSS4J
Type: Bug
Reporter: Thilo Frotscher
Assigned to: Davanum Srinivas
Priority: Critical
I think that I found a bug in class WSSecurityEngine, method
handleEncryptedKey(Element, CallbackHandler, Crypto, Private Key)
(appox at line 1042)
Current code:
===========
else if (secRef.containsKeyIdentifier()) {
X509Certificate[] certs = secRef.getKeyIdentifier(crypto);
if (certs == null || certs.length !=1 || certs[0] == null) {
throw new WSSecurityException...
...
}
If I use certs that were signed by a CA, the array "certs" contains more than
one element, e.g. the user's cert plus the cert of the CA.
In this case certs.length != 1 and an exception is thrown. However, I don't
think that this is an error. In my opinion the line should read
if (certs == null || certs.length < 1 || certs[0] == null) {
i.e. throw an exception if there is no cert in the array - don't throw an
exception if there's more than one cert in the array.
I had to patch WSS4J 1.0.0 this way to make my application work. Please
consider to change this for the next official release.
Thanks.
Thilo
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
