Shibboleth Developers

["Scott Cantor" <>]

Or the trust file anyway.

Much more testing needed, but there's a basic and extended SP trust
implementation for the C++ SP checked in. The "legacy" trust provider will
automatically embed the new provider from within libshib and will
immediately start supporting the new options without changing the
TrustProvider type.

So far, cert compares work with SSL to bypass path validation, but
non-self-signed trust anchors do not. I'm not sure if I'm going to fix that.
I'd have to completely gut the OpenSSL certificate verifier, which assumes
self-signed roots at every step while moving certs around.

Rewriting it is not easy because the default verify function relies on a ton
of internal functions I'd have to also copy. I may look at what mod_ssl is
doing (there's a role model for you...), but for now this just may be a
limitation of the "platform". I guess if enough people bitched, it would
give me some ammo to convince the OpenSSL developers that violating PKIX
isn't a "feature".

-- Scott