Hi -
In my STS, the RST message is supposed to include a UseKey element like
so:
<UseKey>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>some-encoded-cert</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</UseKey>
I'm having two issues with it....
1. If some-encoded-cert is expired, the STS is issuing a token for it
anyway. I have configured a TokenIssueOperation with a list of
tokenValidators, that includes an instance of an
org.apache.cxf.sts.token.validator.X509TokenValidator. Shouldn't the
X509TokenValidator be checking for expiration, issuer trust, revocation,
and so on? Or will I need to derive a custom validator to handle that?
2. A more fundamental problem is that the certificate provided in the
UseKey is supposed to match the certificate used to sign the RST (or
validate the signature, rather). In our profile, the RST must be signed,
with the certificate provided as a BST in the WSSE header. The UseKey
element is allowed to be a SecurityTokenReference to the BST, or to be a
copy of that certificate. I'm specifically working on the case where the
UseKey is a copy of the signing cert and not a reference. I would guess
that I would need a custom validator for this, which is fine, but I'm not
sure how I can access the BST to do a compare?
Thanx,
Stephen W. Chappell
