You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2013/06/25 15:54:21 UTC
[jira] [Resolved] (WSS-455) Certificate validation in
SignatureTrustValidator
[ https://issues.apache.org/jira/browse/WSS-455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-455.
-------------------------------------
Resolution: Fixed
> Certificate validation in SignatureTrustValidator
> -------------------------------------------------
>
> Key: WSS-455
> URL: https://issues.apache.org/jira/browse/WSS-455
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 2.0
> Reporter: Andrei Shakirin
> Assignee: Colm O hEigeartaigh
> Attachments: SignatureTrustValidator.java.patch
>
>
> Currently SignatureTrustValidator.verifyTrustInCert() checks if certificate exists in the local keystore.
> If yes, further validation is skipped (if revocationLists is deactivated) and crypto.verifyTrust() is not called.
> To check certificate existence, crypto.getX509Certificates() is used.
> It works correctly if crypto implementation is keystore based (Merlin). But if crypto is implemented using for example XKMS, certificate will be not really validated: existence of certificate in XKMS repository doesn't mean that certificate is valid and trusted.
> Proposal: check additionally crypto implementation and skip crypto.verifyTrust() only if crypto has Merlin implementation.
> Patch is attached.
> Regards,
> Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org