[
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16747894#comment-16747894
]
Tomas Vanhala commented on CXF-7941:
------------------------------------
Hi,
As the next step, we shall try to use CXF to create a test request that is like
request-real-sanitised.xml:
* No X.509 certificate included in the signature itself.
* In dsig:KeyInfo, a reference to the certificate using
wsse:SecurityTokenReference.
One further observation: We are applying Subject DN regular expressions with
chain trust. SIG_SUBJECT_CERT_CONSTRAINTS is a comma separated String of
regular expressions. However, it does not seem to be possible to specify a
complete Subject DN value. If we want the only allowed value to be
"CN=xxx,DC=xxx", the closest we can get to this is the regular expression
"CN=xxx.DC=xxx".
It does not seem to be possible to use the comma character in the regular
expression, since it is used as the delimiter for multiple alternative regular
expressions. Considering the purpose of the comma character in a Subject DN, it
would be useful to be able specify another character as the delimiter.
> SamlValidator does not work with chain trust
> --------------------------------------------
>
> Key: CXF-7941
> URL: https://issues.apache.org/jira/browse/CXF-7941
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.2.7
> Reporter: Tomas Vanhala
> Priority: Major
> Attachments: cxf7941.zip, obsolete-code.txt,
> request-real-sanitised.xml, request-test-broken-sanitised.xml,
> request-test-working-sanitised.xml, stacktrace-request-test-broken.txt
>
>
> As explained here
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
> WSS4J supports specifying constraints on the subject DN of the certificate
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to
> sign the requests from the Merlin trust store, and setting an appropriate
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to
> handle a scenario where the certificate used to sign the requests is not in
> the trust store. The problem seems to be in the method
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by
> including the needed PKI code in a customised SamlValidator, but we would
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
