[
https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13210001#comment-13210001
]
Freeman Fang commented on WSS-341:
----------------------------------
Hi Team,
Append a patch for this issue, also revised SignatureCRLTest little bit to use
the All-In-One Merlin description file wss40All.properties, which has both
keystore and truststore to cover this issue.
The wss40All.properties is simply merged from original wss40rev.properties and
wss40CA.properties.
Please review and apply it if it's OK.
Best Regards
Freeman
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore
> the enableRevocation status
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-341
> URL: https://issues.apache.org/jira/browse/WSS-341
> Project: WSS4J
> Issue Type: Bug
> Reporter: Freeman Fang
> Assignee: Colm O hEigeartaigh
> Attachments: WSS-341.patch
>
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
> return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will
> return true in this case, so it can't reach the
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the
> revocation. This logic is wrong in case the cert is in keystore but already
> get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it
> passed in only have truststore, we need check enableRevocation first before
> we check isCertificateInKeyStore(crypto, cert)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
