[
https://issues.apache.org/jira/browse/CXF-4028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp updated CXF-4028:
-----------------------------
Component/s: (was: Core)
WS-* Components
> X509TokenValidator uses signature-crypto-provider instead of
> encryption-crypto-provider
> ---------------------------------------------------------------------------------------
>
> Key: CXF-4028
> URL: https://issues.apache.org/jira/browse/CXF-4028
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.5
> Reporter: Jan Bernhardt
> Assignee: Alessio Soldano
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> I found a bug in X509TokenValidator class.
> There are two crypto handler which can be configured:
> <entry key="ws-security.signature.crypto" value-ref="..."/>
> <entry key="ws-security.encryption.crypto" value-ref="..."/>
> ws-security.signature.crypto is for my own signature, when sending messages,
> and to decrypt messages, which have been send to me. (here is my private key)
> ws-security.encryption.crypto is for encrypting messages before sending and
> validating of signatures in received messages. (here are all my trusted
> public keys/CAs)
> In X509TokenValidator the signature crypto provider is used to validate a
> received message signature. But instead the encryption provider should be
> used! See line 101 in X509TokenValidator.java:
> Crypto sigCrypto = stsProperties.getSignatureCrypto();
> There might be other sections which needs to be updated as well...
> Best regards
> Jan
> See post on the mailinglist regarding this topic also:
> http://cxf.547215.n5.nabble.com/X509TokenValidator-td5139681.html
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
