ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WSS-341) the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status
Date Fri, 17 Feb 2012 02:25:59 GMT

     [ https://issues.apache.org/jira/browse/WSS-341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Freeman Fang updated WSS-341:
-----------------------------

    Description: 
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
     return true;
}
However if the crypto here has keystore, then if cert is in it, it will return true in this
case, so it can't reach the 
crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This logic
is wrong in case the cert is in keystore but already get revoked.

The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in only
have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto,
cert)

  was:
currently it's
if (isCertificateInKeyStore(crypto, cert)) {
     return true;
}
However if the crypto has keystore, then the cert must be in it, so it always return true
in this case, so it can't reach the 
crypto.verifyTrust(x509certs, enableRevocation) to check with the revocation.

The SignatureCRLTest can't cover this case because the Merlin crypto it passed in only have
truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto,
cert)

    
> the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation
status
> ------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-341
>                 URL: https://issues.apache.org/jira/browse/WSS-341
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Freeman Fang
>            Assignee: Colm O hEigeartaigh
>
> currently it's
> if (isCertificateInKeyStore(crypto, cert)) {
>      return true;
> }
> However if the crypto here has keystore, then if cert is in it, it will return true in
this case, so it can't reach the 
> crypto.verifyTrust(x509certs, enableRevocation) later to check with the revocation. This
logic is wrong in case the cert is in keystore but already get revoked.
> The SignatureCRLTest can't cover this case because the CA Merlin crypto it passed in
only have truststore, we need check enableRevocation first before we check isCertificateInKeyStore(crypto,
cert)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message