You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Freeman Fang (Created) (JIRA)" <ji...@apache.org> on 2012/02/17 03:21:59 UTC
[jira] [Created] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
------------------------------------------------------------------------------------------------------
Key: WSS-341
URL: https://issues.apache.org/jira/browse/WSS-341
Project: WSS4J
Issue Type: Bug
Reporter: Freeman Fang
Assignee: Colm O hEigeartaigh
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
return true;
}
However if the crypto has keystore, then the cert must be in it, so it always return true in this case, so it can't reach the
crypto.verifyTrust(x509certs, enableRevocation) to check with the revocation.
The SignatureCRLTest can't cover this case because the Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Updated] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
Posted by "Freeman Fang (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang updated WSS-341:
-----------------------------
Description:
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
return true;
}
However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
was:
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
return true;
}
However if the crypto has keystore, then the cert must be in it, so it always return true in this case, so it can't reach the
crypto.verifyTrust(x509certs, enableRevocation) to check with the revocation.
The SignatureCRLTest can't cover this case because the Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Resolved] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
Posted by "Colm O hEigeartaigh (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-341.
-------------------------------------
Resolution: Fixed
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.6.4
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.5
>
> Attachments: WSS-341.patch
>
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Updated] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
Posted by "Freeman Fang (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang updated WSS-341:
-----------------------------
Attachment: WSS-341.patch
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-341.patch
>
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13210001#comment-13210001 ]
Freeman Fang commented on WSS-341:
----------------------------------
Hi Team,
Append a patch for this issue, also revised SignatureCRLTest little bit to use the All-In-One Merlin description file wss40All.properties, which has both keystore and truststore to cover this issue.
The wss40All.properties is simply merged from original wss40rev.properties and wss40CA.properties.
Please review and apply it if it's OK.
Best Regards
Freeman
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-341.patch
>
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Closed] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
Posted by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-341.
-----------------------------------
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.6.4
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.5
>
> Attachments: WSS-341.patch
>
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Updated] (WSS-341) the "FIRST step" check in
SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
Posted by "Colm O hEigeartaigh (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated WSS-341:
------------------------------------
Affects Version/s: 1.6.4
Fix Version/s: 1.6.5
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.6.4
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6.5
>
> Attachments: WSS-341.patch
>
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org