Le lundi 24 mai 2010 18:26:39, Brian Demers a écrit : > Here is what we have: > http://github.com/sonatype/security/tree/master/security-realms/security-pu > blic-key-realm/ > > Note this just compare two public keys, ( so this assume something else is > doing the hand shaking with the private key ) >
Thanks for sharing Brian. Some things are similar to my implementation (already attached as a patch in jira). Looking at PublicKeyWithEquals, it could be related to my second matching strategy, fingerprint, except that you compare the public key data (pk.getEncoded()) and not the certificate data. Be aware that a KeyPair can be certified several times and so a PublicKey can be used in several X509Certificate 'instances'. IOW the ssl engine had the proof that the client own the PrivateKey and that it's certificate is trusted. You then match only the PublicKey that's inside the certificate, not the certificate itself. Use cases leading to a security hole in your implementation will certainly by awkward and depend a lot on deployment and certification policies but one can imagine such a scenario. We could say the very same about my Simple strategy. /Paul
