[jboss-jira] [JBoss JIRA] (SECURITY-838) BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible
Tom Fonteyne (JIRA)
issues at jboss.org
Wed Jun 4 10:54:18 EDT 2014
[ https://issues.jboss.org/browse/SECURITY-838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12973340#comment-12973340 ]
Tom Fonteyne commented on SECURITY-838:
---------------------------------------
This is the use-case:
https://github.com/picketlink2/picketlink-quickstarts/tree/master/saml/idp-ssl
so if you want to use PicketLink with certificates.... *all* client certs need to be imported.
Perhaps a better solution (considering your point) is to ship a verifier that does allow CA's which can then be configured
> BaseCertLoginModule does not actully check a client certificate for signing making the use of a CA not possible
> ---------------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-838
> URL: https://issues.jboss.org/browse/SECURITY-838
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: PicketBox
> Affects Versions: PicketBox_4_0_21.Beta2
> Reporter: Tom Fonteyne
> Assignee: Stefan Guilhen
>
> BaseCertLoginModule is not really checking if client certificates are valid. It only checks it the client certificate is present in the truststore and then does a binary compare.
> This means that properly signed client certificates by a CA cannot be used unless they are all imported into the truststore.
> A normal/standard setup would *only* have the CA certificate in the truststore and not the actual client certificates
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the jboss-jira
mailing list