[jira] [Created] (WSS-721) Merlin Trust Optimization Request

Wed, 07 May 2025 09:31:09 -0700 

Richard Opalka created WSS-721:
----------------------------------

             Summary: Merlin Trust Optimization Request
                 Key: WSS-721
                 URL: https://issues.apache.org/jira/browse/WSS-721
             Project: WSS4J
          Issue Type: Improvement
          Components: WSS4J Core
    Affects Versions: 3.0.4
            Reporter: Richard Opalka
            Assignee: Colm O hEigeartaigh


There is a problem during verification of signatures in incoming requests. 
WSS4J first tries to lookup the certificate to verify in the configured 
keystore and then in the truststore. This triggers an unnecessary remote call 
since the trusted certificate will never be in the keystore. If the operations 
were reversed (or better yet: the order was based on the whether or not the 
certificate was to be used for trust or not) this remote call could be avoided. 
It would be great if the lookup during the trust verifiction would first be 
performed against the configured truststore.

Below is a snippet from the stacktrace during verification of SAML Assertions:
 
{code:java}
getCertificates:1012, Merlin (org.apache.wss4j.common.crypto)
getX509Certificates:978, Merlin (org.apache.wss4j.common.crypto)
getX509Certificates:565, Merlin (org.apache.wss4j.common.crypto)
verifyTrust:769, Merlin (org.apache.wss4j.common.crypto)
verifyTrust:906, Merlin (org.apache.wss4j.common.crypto)
verifyTrustInCerts:109, SignatureTrustValidator (org.apache.wss4j.dom.validate)
validate:64, SignatureTrustValidator (org.apache.wss4j.dom.validate)
verifySignedAssertion:215, SamlAssertionValidator 
(org.apache.wss4j.dom.validate)
 
{code}
 

The code in question from org.apache.wss4j.common.crypto.Merlin:

 
{code:java}
Certificate[] certs = null;
if (keystore != null) {
    certs = getCertificates(issuerName, serialNumber, keystore, false);
}

//If we can't find the issuer in the keystore then look at the truststore
if ((certs == null || certs.length == 0) && truststore != null) {
    certs = getCertificates(issuerName, serialNumber, truststore, true);
} {code}
https://github.com/apache/ws-wss4j/blob/3b840cecc2906ae0505598e914403d97d7615f2b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java#L977




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to