[
https://issues.apache.org/jira/browse/WSS-455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrei Shakirin updated WSS-455:
--------------------------------
Attachment: SignatureTrustValidator.java.patch
> Certificate validation in SignatureTrustValidator
> -------------------------------------------------
>
> Key: WSS-455
> URL: https://issues.apache.org/jira/browse/WSS-455
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 2.0
> Reporter: Andrei Shakirin
> Assignee: Colm O hEigeartaigh
> Attachments: SignatureTrustValidator.java.patch
>
>
> Currently SignatureTrustValidator.verifyTrustInCert() checks if certificate
> exists in the local keystore.
> If yes, further validation is skipped (if revocationLists is deactivated) and
> crypto.verifyTrust() is not called.
> To check certificate existence, crypto.getX509Certificates() is used.
> It works correctly if crypto implementation is keystore based (Merlin). But
> if crypto is implemented using for example XKMS, certificate will be not
> really validated: existence of certificate in XKMS repository doesn't mean
> that certificate is valid and trusted.
> Proposal: check additionally crypto implementation and skip
> crypto.verifyTrust() only if crypto has Merlin implementation.
> Patch is attached.
> Regards,
> Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
