WSS4J
  1. WSS4J
  2. WSS-341

the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.4
    • Fix Version/s: 1.6.5
    • Component/s: None
    • Labels:
      None

      Description

      currently it's
      if (isCertificateInKeyStore(crypto, cert))

      { return true; }

      However if the crypto here has keystore, then if cert is in it, it will return true in this case, so it can't reach the
      crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic is wrong in case the cert is in keystore but already get revoked.

      The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto, cert)

      1. WSS-341.patch
        3 kB
        Freeman Fang

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Freeman Fang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development