OpenSAML user discussion

[Chad La Joie <>]

 wrote:
> While testing we found that the SignatureValidator.validate method indicated 
> that a saml a signature was valid using an expired certificate. Is this 
> appropriate behavior or should the validate method also validate the 
> certificate?

Thats expected.  The signature is valid.  Whether you trust the 
credential is a different matter.

> Is there some other place that the certificate is validated? We have a very 
> simple implementation and are not using a trust engine.

However you chose to do it.  The trust engines are what the IdP uses to 
do it.  A super, brain-dead-simple, way to do this would be to just have 
a trust set of certs and then do a byte[] comparison.  If the cert that 
signed it is in your trust list then you trust it, if not, you don't.

> Its not a big deal as we've added code to check the validity of the 
> certificate before validating the signature. I'm just wondering if this is a 
> bug or by design?

Well, if you think the signature is telling you anything then it is a 
big issue, because it's not.  I could easily gen a cert, intercept a 
message, remove the signature, change the message and sign with me cert. 
 If you never check if the cert is trusted you'd never know the difference.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch