Andrei Shakirin created WSS-455:
-----------------------------------
Summary: Certificate validation in SignatureTrustValidator
Key: WSS-455
URL: https://issues.apache.org/jira/browse/WSS-455
Project: WSS4J
Issue Type: Improvement
Affects Versions: 2.0
Reporter: Andrei Shakirin
Assignee: Colm O hEigeartaigh
Attachments: SignatureTrustValidator.java.patch
Currently SignatureTrustValidator.verifyTrustInCert() checks if certificate
exists in the local keystore.
If yes, further validation is skipped (if revocationLists is deactivated) and
crypto.verifyTrust() is not called.
To check certificate existence, crypto.getX509Certificates() is used.
It works correctly if crypto implementation is keystore based (Merlin). But if
crypto is implemented using for example XKMS, certificate will be not really
validated: existence of certificate in XKMS repository doesn't mean that
certificate is valid and trusted.
Proposal: check additionally crypto implementation and skip
crypto.verifyTrust() only if crypto has Merlin implementation.
Patch is attached.
Regards,
Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
