[jira] [Commented] (CXF-7941) SamlValidator does not work with chain trust

Mon, 14 Jan 2019 09:39:15 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16742341#comment-16742341
 ] 

Tomas Vanhala commented on CXF-7941:
------------------------------------

Yes, that is why findPublicKeyInKeyStore() will not work for us when validating 
a SAML assertion. The SOAP header of the message we are validating contains the 
public key, inside wsse:Security as the value of wssse:BinarySecurityToken. 
Since the X.509 Certificate Token Profile is used, the BinarySecurityToken is 
at the same time both the public key and the "corresponding" certificate.

What we then need to do is check whether the received certificate can be 
trusted. For the chain trust method, the chain would need to be constructed 
using:
 * the leaf certificate from the received BinarySecurityToken
 * the root and intermediate issuing certificate from the (Merlin) trust store

It seems that when validating chain trust, Merlin ignores the received leaf 
certificate.

> SamlValidator does not work with chain trust
> --------------------------------------------
>
>                 Key: CXF-7941
>                 URL: https://issues.apache.org/jira/browse/CXF-7941
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.7
>            Reporter: Tomas Vanhala
>            Priority: Major
>         Attachments: cxf7941.zip
>
>
> As explained here 
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
>  WSS4J supports specifying constraints on the subject DN of the certificate 
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests 
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to 
> sign the requests from the Merlin trust store, and setting an appropriate 
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to 
> handle a scenario where the certificate used to sign the requests is not in 
> the trust store. The problem seems to be in the method 
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by 
> including the needed PKI code in a customised SamlValidator, but we would 
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to