[
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16746491#comment-16746491
]
Colm O hEigeartaigh commented on CXF-7941:
------------------------------------------
Hi,
The problem in "request-test-broken-sanitised.xml" is that the PublicKey stored
in the Assertion Signature KeyInfo is not in the truststore. As I said above,
chain trust only works for the case of a certificate. So I think WSS4J is
handling this appropriately.
However, what we could do for the case of a PublicKey Signature in general is
to check to see if the public key matches that of a certificate carried in
BinarySecurityToken, and then to trust verification on the Signature. I'm a bit
reluctant though to implement this. If someone is including a PublicKey as the
signing credentials of the KeyInfo, then they obviously expect that the
recipieint of the assertion has direct access to that public key.
Colm.
> SamlValidator does not work with chain trust
> --------------------------------------------
>
> Key: CXF-7941
> URL: https://issues.apache.org/jira/browse/CXF-7941
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.2.7
> Reporter: Tomas Vanhala
> Priority: Major
> Attachments: cxf7941.zip, obsolete-code.txt,
> request-real-sanitised.xml, request-test-broken-sanitised.xml,
> request-test-working-sanitised.xml, stacktrace-request-test-broken.txt
>
>
> As explained here
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
> WSS4J supports specifying constraints on the subject DN of the certificate
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to
> sign the requests from the Merlin trust store, and setting an appropriate
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to
> handle a scenario where the certificate used to sign the requests is not in
> the trust store. The problem seems to be in the method
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by
> including the needed PKI code in a customised SamlValidator, but we would
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
