[CXF-7941] SamlValidator does not work with chain trust - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Not A Problem
Affects Version/s: 3.2.7
Fix Version/s: None
Component/s: WS-* Components
Labels:
None

Estimated Complexity:
Unknown

Description

As explained here http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html, WSS4J supports specifying constraints on the subject DN of the certificate used for signature validation.

We have successfully applied "direct trust" when receiving SOAP requests containing a signed SAML token.

We attempted to migrate to "chain trust" by removing the certificate used to sign the requests from the Merlin trust store, and setting an appropriate Subject DN Cert Constraint.

It did not work. Our analysis is that WSS4J's SamlValidator is not able to handle a scenario where the certificate used to sign the requests is not in the trust store. The problem seems to be in the method findPublicKeyInKeyStore() of Merlin.java.

We were able to make chain trust (and the Subject DN Cert Constraint) work by including the needed PKI code in a customised SamlValidator, but we would rather not go this route.

Please fix chain trust in WSS4J SAML validation.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

cxf7941.zip
14/Jan/19 15:30
11 kB
Tomas Vanhala
obsolete-code.txt
18/Jan/19 13:37
7 kB
Tomas Vanhala
request-real-sanitised.xml
18/Jan/19 13:15
6 kB
Tomas Vanhala
request-test-broken-sanitised.xml
18/Jan/19 13:15
8 kB
Tomas Vanhala
request-test-working-sanitised.xml
18/Jan/19 13:15
7 kB
Tomas Vanhala
stacktrace-request-test-broken.txt
18/Jan/19 13:15
5 kB
Tomas Vanhala

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Tomas Vanhala

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Jan/19 16:13

Updated:: 24/Jan/19 12:21

Resolved:: 24/Jan/19 12:21