[jira] [Commented] (CXF-7941) SamlValidator does not work with chain trust

Mon, 14 Jan 2019 07:40:08 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16742219#comment-16742219
 ] 

Tomas Vanhala commented on CXF-7941:
------------------------------------

Please find attached a test case that illustrates the issue.

Our understanding is that it is related to 
[https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java.|https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java]

On line 920 there is a strange comment:
{code:java}
        //
        // Search the keystore for the transmitted public key (direct trust). 
If not found
        // then search the truststore for the transmitted public key (direct 
trust)
        //
{code}
In the implementation of findPublicKeyInKeyStore(), the public key from the 
SAML Token does not ever end up in the variable "certs". As s a result:
 * the certificate chain does not include the public key
 * the checks on line 1309 do not succeed
 * the method cannot ever return true in the case of chain-of-trust

> SamlValidator does not work with chain trust
> --------------------------------------------
>
>                 Key: CXF-7941
>                 URL: https://issues.apache.org/jira/browse/CXF-7941
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.7
>            Reporter: Tomas Vanhala
>            Priority: Major
>         Attachments: cxf7941.zip
>
>
> As explained here 
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
>  WSS4J supports specifying constraints on the subject DN of the certificate 
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests 
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to 
> sign the requests from the Merlin trust store, and setting an appropriate 
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to 
> handle a scenario where the certificate used to sign the requests is not in 
> the trust store. The problem seems to be in the method 
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by 
> including the needed PKI code in a customised SamlValidator, but we would 
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to