You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2017/03/22 22:50:41 UTC
[jira] [Updated] (CXF-4028) X509TokenValidator uses
signature-crypto-provider instead of encryption-crypto-provider
[ https://issues.apache.org/jira/browse/CXF-4028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp updated CXF-4028:
-----------------------------
Component/s: (was: Core)
WS-* Components
> X509TokenValidator uses signature-crypto-provider instead of encryption-crypto-provider
> ---------------------------------------------------------------------------------------
>
> Key: CXF-4028
> URL: https://issues.apache.org/jira/browse/CXF-4028
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.5
> Reporter: Jan Bernhardt
> Assignee: Alessio Soldano
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> I found a bug in X509TokenValidator class.
> There are two crypto handler which can be configured:
> <entry key="ws-security.signature.crypto" value-ref="..."/>
> <entry key="ws-security.encryption.crypto" value-ref="..."/>
> ws-security.signature.crypto is for my own signature, when sending messages, and to decrypt messages, which have been send to me. (here is my private key)
> ws-security.encryption.crypto is for encrypting messages before sending and validating of signatures in received messages. (here are all my trusted public keys/CAs)
> In X509TokenValidator the signature crypto provider is used to validate a received message signature. But instead the encryption provider should be used! See line 101 in X509TokenValidator.java:
> Crypto sigCrypto = stsProperties.getSignatureCrypto();
> There might be other sections which needs to be updated as well...
> Best regards
> Jan
> See post on the mailinglist regarding this topic also:
> http://cxf.547215.n5.nabble.com/X509TokenValidator-td5139681.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)