[jira] [Updated] (WSS-341) the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status

Thu, 16 Feb 2012 18:26:27 -0800 

     [ 
https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Freeman Fang updated WSS-341:
-----------------------------

    Description: 
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
     return true;
}
However if the crypto here has keystore, then if cert is in it, it will return 
true in this case, so it can't reach the 
crypto.verifyTrust(x509certs, enableRevocation) later to check with the 
revocation. This logic is wrong in case the cert is in keystore but already get 
revoked.

The SignatureCRLTest can't cover this case because the CA Merlin crypto it 
passed in only have truststore, we need check enableRevocation first before we 
check isCertificateInKeyStore(crypto, cert)

  was:
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
     return true;
}
However if the crypto has keystore, then the cert must be in it, so it always 
return true in this case, so it can't reach the 
crypto.verifyTrust(x509certs, enableRevocation) to check with the revocation.

The SignatureCRLTest can't cover this case because the Merlin crypto it passed 
in only have truststore, we need check enableRevocation first before we check 
isCertificateInKeyStore(crypto, cert)

    
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore 
> the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-341
>                 URL: https://issues.apache.org/jira/browse/WSS-341
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Freeman Fang
>            Assignee: Colm O hEigeartaigh
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
>      return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will 
> return true in this case, so it can't reach the 
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the 
> revocation. This logic is wrong in case the cert is in keystore but already 
> get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it 
> passed in only have truststore, we need check enableRevocation first before 
> we check isCertificateInKeyStore(crypto, cert)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to