[jira] [Commented] (CXF-7941) SamlValidator does not work with chain trust

Mon, 14 Jan 2019 09:06:08 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16742310#comment-16742310
 ] 

Colm O hEigeartaigh commented on CXF-7941:
------------------------------------------

The way the PublicKey verification works in Merlin is that the certificate 
corresponding to the public key must be contained directly in the keystore or 
truststore. That's why your "direct-trust.jks" test-case works. However, 
"chain-of-trust.jks" fails as Merlin can't find the public key in the 
keystore/truststore to match against the key it is trying to trust.

The chain trust method only works with certificates. How are we supposed to 
know who issued a public key if we have no corresponding certificate?

> SamlValidator does not work with chain trust
> --------------------------------------------
>
>                 Key: CXF-7941
>                 URL: https://issues.apache.org/jira/browse/CXF-7941
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.7
>            Reporter: Tomas Vanhala
>            Priority: Major
>         Attachments: cxf7941.zip
>
>
> As explained here 
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
>  WSS4J supports specifying constraints on the subject DN of the certificate 
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests 
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to 
> sign the requests from the Merlin trust store, and setting an appropriate 
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to 
> handle a scenario where the certificate used to sign the requests is not in 
> the trust store. The problem seems to be in the method 
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by 
> including the needed PKI code in a customised SamlValidator, but we would 
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to