[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-dev
Subject:    [jira] [Closed] (WSS-455) Certificate validation in SignatureTrustValidator
From:       "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date:       2014-10-07 8:05:34
Message-ID: JIRA.12654183.1371829343000.206387.1412669134713 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Colm O hEigeartaigh closed WSS-455.
-----------------------------------

> Certificate validation in SignatureTrustValidator
> -------------------------------------------------
> 
> Key: WSS-455
> URL: https://issues.apache.org/jira/browse/WSS-455
> Project: WSS4J
> Issue Type: Improvement
> Affects Versions: 2.0.0
> Reporter: Andrei Shakirin
> Assignee: Colm O hEigeartaigh
> Attachments: SignatureTrustValidator.java.patch
> 
> 
> Currently SignatureTrustValidator.verifyTrustInCert() checks if certificate exists \
> in the local keystore. If yes, further validation is skipped (if revocationLists is \
> deactivated) and crypto.verifyTrust() is not called. To check certificate \
> existence, crypto.getX509Certificates() is used. It works correctly if crypto \
> implementation is keystore based (Merlin). But if crypto is implemented using for \
> example XKMS, certificate will be not really validated: existence of certificate in \
>                 XKMS repository doesn't mean that certificate is valid and trusted.
> Proposal: check additionally crypto implementation and skip crypto.verifyTrust() \
> only if crypto has Merlin implementation. Patch is attached.
> Regards,
> Andrei.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]