[CXF-4028] X509TokenValidator uses signature-crypto-provider instead of encryption-crypto-provider - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5
Fix Version/s: 3.1.11, 3.2.0
Component/s: WS-* Components
Labels:
None

Estimated Complexity:
Moderate

Description

I found a bug in X509TokenValidator class.

There are two crypto handler which can be configured:
<entry key="ws-security.signature.crypto" value-ref="..."/>
<entry key="ws-security.encryption.crypto" value-ref="..."/>

ws-security.signature.crypto is for my own signature, when sending messages, and to decrypt messages, which have been send to me. (here is my private key)
ws-security.encryption.crypto is for encrypting messages before sending and validating of signatures in received messages. (here are all my trusted public keys/CAs)

In X509TokenValidator the signature crypto provider is used to validate a received message signature. But instead the encryption provider should be used! See line 101 in X509TokenValidator.java:
Crypto sigCrypto = stsProperties.getSignatureCrypto();

There might be other sections which needs to be updated as well...

Best regards
Jan

See post on the mailinglist regarding this topic also:
http://cxf.547215.n5.nabble.com/X509TokenValidator-td5139681.html

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Jan Bernhardt

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Jan/12 15:01

Updated:: 10/Apr/17 19:04

Resolved:: 28/Mar/17 07:09

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified