I don't know if this is the problem, but in 1.7_40, certificate chain
validation will now fail if any of the certificates contain RSA keys
less than 1024 bits. See:
http://www.java.com/en/download/faq/release_changes.xml
I am not recommending this, but you can re-enable the old behavior by
changing the jdk.certpath.disabledAlgorithms security property from:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
to:
jdk.certpath.disabledAlgorithms=MD2
--Sean
On 09/25/2013 07:40 AM, Terry, Ryan wrote:
I am working with a project that leverages xmlsec-1.4.3 for Java. We
have a custom SAML 1.0 implementation. We are upgrading from JDK 6 to
JDK 7 and xmlsec can no longer validate the XML signature. All of our
certificates work except for one. The certificate that fails is a
self-signed X509 certificate. Going from JDK 1.6_17 to 1.7_x causes
signature validation to fail with:
The SAML Response Signature was either invalid or the signing key could
not be established as trusted!
In researching it appears that JDK tightened security in respect to
certificate validation, I am wondering if there is anything that can be
modified in the JDK to relax this and allow this certificate to work.
Ryan Terry
------------------------------------------------------------------------
This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and
confidential. If the reader of the message is not the intended recipient
or an authorized representative of the intended recipient, you are
hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, notify the
sender immediately by return email and delete the message and any
attachments from your system.
