Appreciate the reply. With further research it is looking like the x509 cert is invalid.
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name:file://\\xxxxxxxxxxxxxxx It appears that in JDK 1.6.0_17 this same cert is validated and the signature works, but in later releases it fails due to a java.IOexception and doesn't even get to verifying the signature. Im attempting to get a new cert issued to test this theory. Thank you for replying. Ryan Terry -----Original Message----- From: Sean Mullan [mailto:[email protected]] Sent: Thursday, September 26, 2013 8:52 AM To: [email protected] Subject: Re: XML Signature validation and JDK 7 I don't know if this is the problem, but in 1.7_40, certificate chain validation will now fail if any of the certificates contain RSA keys less than 1024 bits. See: http://www.java.com/en/download/faq/release_changes.xml I am not recommending this, but you can re-enable the old behavior by changing the jdk.certpath.disabledAlgorithms security property from: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 to: jdk.certpath.disabledAlgorithms=MD2 --Sean On 09/25/2013 07:40 AM, Terry, Ryan wrote: > I am working with a project that leverages xmlsec-1.4.3 for Java. We > have a custom SAML 1.0 implementation. We are upgrading from JDK 6 to > JDK 7 and xmlsec can no longer validate the XML signature. All of our > certificates work except for one. The certificate that fails is a > self-signed X509 certificate. Going from JDK 1.6_17 to 1.7_x causes > signature validation to fail with: > > The SAML Response Signature was either invalid or the signing key > could not be established as trusted! > > In researching it appears that JDK tightened security in respect to > certificate validation, I am wondering if there is anything that can > be modified in the JDK to relax this and allow this certificate to work. > > Ryan Terry > > ---------------------------------------------------------------------- > -- This message and any attachments are intended only for the use of > the addressee and may contain information that is privileged and > confidential. If the reader of the message is not the intended > recipient or an authorized representative of the intended recipient, > you are hereby notified that any dissemination of this communication > is strictly prohibited. If you have received this communication in > error, notify the sender immediately by return email and delete the > message and any attachments from your system. ---------------------------------------------------------------------- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
