[WSS-341] the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.6.4
Fix Version/s: 1.6.5
Component/s: None
Labels:
None

Description

currently it's
if (isCertificateInKeyStore(crypto, cert)) {
return true;
}
However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.

The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

WSS-341.patch
17/Feb/12 02:36
3 kB
Freeman Yue Fang

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Freeman Yue Fang

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 17/Feb/12 02:21

Updated:: 05/Mar/12 13:21

Resolved:: 17/Feb/12 14:58