Tomas Vanhala created CXF-7941:
----------------------------------
Summary: SamlValidator does not work with chain trust
Key: CXF-7941
URL: https://issues.apache.org/jira/browse/CXF-7941
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 3.2.7
Reporter: Tomas Vanhala
As explained here
[http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
WSS4J supports specifying constraints on the subject DN of the certificate used
for signature validation.
We have successfully applied "direct trust" when receiving SOAP requests
containing a signed SAML token.
We attempted to migrate to "chain trust" by removing the certificate used to
sign the requests from the Merlin trust store, and setting an appropriate
Subject DN Cert Constraint.
It did not work. Our analysis is that WSS4J's SamlValidator is not able to
handle a scenario where the certificate used to sign the requests is not in the
trust store. The problem seems to be in the method findPublicKeyInKeyStore() of
Merlin.java.
We were able to make chain trust (and the Subject DN Cert Constraint) work by
including the needed PKI code in a customised SamlValidator, but we would
rather not go this route.
Please fix chain trust in WSS4J SAML validation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
