[jboss-jira] [JBoss JIRA] (SECURITY-838) BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible
Darran Lofthouse (JIRA)
issues at jboss.org
Wed Jun 4 10:50:17 EDT 2014
[ https://issues.jboss.org/browse/SECURITY-838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12973331#comment-12973331 ]
Darran Lofthouse commented on SECURITY-838:
-------------------------------------------
Isn't that the point of that login module? i.e. a trustore with the CA cert can be used for the connection and then the BaseCertLoginModule verification is against a subset of certificates that could have been signed by the CA.
> BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible
> ---------------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-838
> URL: https://issues.jboss.org/browse/SECURITY-838
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: PicketBox
> Affects Versions: PicketBox_4_0_21.Beta2
> Reporter: Tom Fonteyne
> Assignee: Stefan Guilhen
>
> BaseCertLoginModule is not really checking if client certificates are valid. It only checks it the client certificate is present in the truststore and then does a binary compare.
> This means that properly signed client certificates by a CA cannot be used unless they are all imported into the truststore.
> A normal/standard setup would *only* have the CA certificate in the truststore and not the actual client certificates
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the jboss-jira
mailing list