Uploaded image for project: 'Gazelle STS'
  1. Gazelle STS
  2. STS-1

STS : Perform proper trusted issuer validation of assertion

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.0
    • Labels:
      None
    • Account:
      VENICE 2017 (VENICE2017)

      Description

      Currently Gazelle-STS use the configured issuer publicKey to validate assertions (from configured jks). All assertions signed by anyone else will trigger an invalid signature error instead of an untrusted issuer error.

      It should be instead :
      1. Get issuer from certificate assertion.
      2. Verify if issuer is trusted => throw untrusted error if untrusted.
      3. Then verify signature with issuer publicKey => throw invalid signature error if invalid

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ceoche Cédric EOCHE-DUVAL
                Reporter:
                ceoche Cédric EOCHE-DUVAL
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day Original Estimate - 1 day
                  1d
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 days, 6 hours, 45 minutes
                  4d 6h 45m

                    Potential Duplicates