WSS4J
  1. WSS4J
  2. WSS-341

the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.4
    • Fix Version/s: 1.6.5
    • Component/s: None
    • Labels:
      None

      Description

      currently it's
      if (isCertificateInKeyStore(crypto, cert))

      { return true; }

      However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
      crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.

      The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)

      1. WSS-341.patch
        3 kB
        Freeman Fang

        Activity

        Colm O hEigeartaigh made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Colm O hEigeartaigh made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Colm O hEigeartaigh committed 1245588 (3 files)
        Colm O hEigeartaigh made changes -
        Fix Version/s 1.6.5 [ 12319163 ]
        Affects Version/s 1.6.4 [ 12318343 ]
        Hide
        Freeman Fang added a comment -

        Hi Team,

        Append a patch for this issue, also revised SignatureCRLTest little bit to use the All-In-One Merlin description file wss40All.properties, which has both keystore and truststore to cover this issue.
        The wss40All.properties is simply merged from original wss40rev.properties and wss40CA.properties.

        Please review and apply it if it's OK.

        Best Regards
        Freeman

        Show
        Freeman Fang added a comment - Hi Team, Append a patch for this issue, also revised SignatureCRLTest little bit to use the All-In-One Merlin description file wss40All.properties, which has both keystore and truststore to cover this issue. The wss40All.properties is simply merged from original wss40rev.properties and wss40CA.properties. Please review and apply it if it's OK. Best Regards Freeman
        Freeman Fang made changes -
        Attachment WSS-341.patch [ 12514934 ]
        Freeman Fang made changes -
        Field Original Value New Value
        Description currently it's
        if (isCertificateInKeyStore(crypto, cert)) {
             return true;
        }
        However if the crypto has keystore, then the cert must be in it, so it always return true in this case, so it can't reach the
        crypto.verifyTrust(x509certs, enableRevocation) to check with the revocation.

        The SignatureCRLTest can't cover this case because the Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
        currently it's
        if (isCertificateInKeyStore(crypto, cert)) {
             return true;
        }
        However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
        crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.

        The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)
        Freeman Fang created issue -

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Freeman Fang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development