Skip to content

WSS4J Subject Cert Constraints are not applied consistently #1520

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
LiamMacP opened this issue Apr 9, 2025 · 2 comments
Closed

WSS4J Subject Cert Constraints are not applied consistently #1520

LiamMacP opened this issue Apr 9, 2025 · 2 comments
Assignees
@snicoll
Labels
type: bug A general bug
Milestone
4.1.0-RC1

Comments

@LiamMacP
Copy link

LiamMacP commented Apr 9, 2025
edited
Loading

Prior and following the implementation of #1419 and #135. There is still an edge case whereby the following WARN'ing happens:

WARN - org.apache.wss4j.common.crypto.CryptoBase - No Subject DN Certificate Constraints were defined. This could be a security issue

This happens with both pre-4.1.0 and post 4.1.0 versions.

Investigating, this appears to be with the way that the following verifyCertificateTrust method creates a new RequestData object that does not passthrough the signatureSubjectDnPatterns like the initializeRequestData and initializeValidationRequestData methods do as fixed in #1419?

With pre-4.1.0, a solution has been taken to override the verifyCertificateTrust method with the same body but then passthrough the required fields from the RequestData generated from an overridden initializeValidationRequestData method using a configuration Singleton bean.

The ideal is that the library propagates this down through to this RequestData, or the initializeValidationRequestData returned RequestData is reused. MessageContext does not appear within the verifyCertificateTrust method at present, but could potentially be passed through from (

spring-ws/spring-ws-security/src/main/java/org/springframework/ws/soap/security/wss4j2/Wss4jSecurityInterceptor.java

Line 819 in b68460a

RequestData validationData = initializeValidationRequestData(messageContext);
,

spring-ws/spring-ws-security/src/main/java/org/springframework/ws/soap/security/wss4j2/Wss4jSecurityInterceptor.java

Line 840 in b68460a

verifyCertificateTrust(result);
)?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 9, 2025
@snicoll snicoll added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 9, 2025
@snicoll snicoll added this to the 4.1.0-RC1 milestone Apr 9, 2025
@snicoll snicoll changed the title Improve WSS4J Subject Cert Constraints to Additional Request Data Usage WSS4J Subject Cert Constraints are not applied consistently Apr 9, 2025
@snicoll snicoll self-assigned this Apr 9, 2025
@snicoll snicoll closed this as completed in ef00c3e Apr 9, 2025
@snicoll
Copy link
Member

snicoll commented Apr 9, 2025

@LiamMacP thanks for the report. Please give 4.1.0-SNAPSHOT a try and let us know how it goes.

@LiamMacP
Copy link
Author

Hi @snicoll - I can confirm that 4.1.0-SNAPSHOT no longer reports the log line with this in place. Thank you for your speed on this.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@snicoll snicoll

Labels
type: bug A general bug
Projects
None yet
Milestone
4.1.0-RC1
Development

No branches or pull requests
3 participants
@snicoll @LiamMacP @spring-projects-issues