[jira] [Commented] (CXF-7941) SamlValidator does not work with chain trust

Thu, 24 Jan 2019 00:51:32 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-7941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750878#comment-16750878
 ] 

Tomas Vanhala commented on CXF-7941:
------------------------------------

Thank you for fixing the constraint separator issue, very much appreciated.

We made some changes to our testclient, now it creates a request that is almost 
identical to request-real-sanitised.xml. Chain trust works just fine for this 
request.

The initally reported CXF/WSS4J behaviour was triggered by a request, which 
erroneously used PublicKey as the signing credentials of the KeyInfo. The 
prerequisites for chain trust are not present in this case, 

CXF/WSS4J works as designed.This bug report can be rejected. 

> SamlValidator does not work with chain trust
> --------------------------------------------
>
>                 Key: CXF-7941
>                 URL: https://issues.apache.org/jira/browse/CXF-7941
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.7
>            Reporter: Tomas Vanhala
>            Priority: Major
>         Attachments: cxf7941.zip, obsolete-code.txt, 
> request-real-sanitised.xml, request-test-broken-sanitised.xml, 
> request-test-working-sanitised.xml, stacktrace-request-test-broken.txt
>
>
> As explained here 
> [http://coheigea.blogspot.com/2012/08/subject-dn-certificate-constraint.html,]
>  WSS4J supports specifying constraints on the subject DN of the certificate 
> used for signature validation.
> We have successfully applied "direct trust" when receiving SOAP requests 
> containing a signed SAML token.
> We attempted to migrate to "chain trust" by removing the certificate used to 
> sign the requests from the Merlin trust store, and setting an appropriate 
> Subject DN Cert Constraint.
> It did not work. Our analysis is that WSS4J's SamlValidator is not able to 
> handle a scenario where the certificate used to sign the requests is not in 
> the trust store. The problem seems to be in the method 
> findPublicKeyInKeyStore() of Merlin.java.
> We were able to make chain trust (and the Subject DN Cert Constraint) work by 
> including the needed PKI code in a customised SamlValidator, but we would 
> rather not go this route.
> Please fix chain trust in WSS4J SAML validation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to