'Opensaml 4.0.1 doesn't look for issuer name while validating the certificate against trustedNames
I have the following code which sets up the PKIXSignatureTrustEngine as follows:
private void testVerify(final Signature signature) {
PKIXSignatureTrustEngine trustEngine;
final Set<String> trustedNames = new HashSet<String>();
try {
trustEngine = new PKIXSignatureTrustEngine(
getEvaluator(trustedKeyStore),
DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
Enumeration<String> aliases = trustedKeyStore.aliases();
while (aliases.hasMoreElements()) {
String trustedName = aliases.nextElement();
trustedNames.add(trustedName);
}
} catch (final KeyStoreException e) {
throw new TrustException(e.toString(), e);
}
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new TrustedNamesCriterion(trustedNames));
try {
if (!trustEngine.validate(signature, criteriaSet)) {
throw new TrustException(
TrustMessageBundle.SAMLVERIFIER_INVALID.format());
}
} catch (final SecurityException e) {
throw new TrustException(e.toString(), e);
}
}
Along with this I have initialized the StaticPKIXValidationInformationResolver to set the supportDynamicNames to true so that my local trustStore entries are referred as trusted names.
Now my local trustStore has entries only for certificate issuers and not the leaf certificates.
Now the issue is while validating the certificate against this local trustStore opensaml's BasicX509CredentialNameEvaluator.processNameChecks returns false as it only looks for SubjectAltNames or SubjectDNCommonName or SubjectDN It doesn't check for issuer name.
So how do I make the opensaml code to check for issuername along with the leaf certificate's DN. As it should be referring the certchain and not the leaf certificate only?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|