shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Merlin <eska...@n0pe.org>
Subject Re: X509Certificate support
Date Mon, 24 May 2010 16:56:37 GMT
Le lundi 24 mai 2010 18:26:39, Brian Demers a écrit :
> Here is what we have:
> http://github.com/sonatype/security/tree/master/security-realms/security-pu
> blic-key-realm/
> 
> Note this just compare two public keys, ( so this assume something else is
> doing the hand shaking with the private key )
> 

Thanks for sharing Brian.

Some things are similar to my implementation (already attached as a patch in 
jira). Looking at PublicKeyWithEquals, it could be related to my second matching 
strategy, fingerprint, except that you compare the public key data 
(pk.getEncoded()) and not the certificate data.

Be aware that a KeyPair can be certified several times and so a PublicKey can be 
used in several X509Certificate 'instances'.

IOW the ssl engine had the proof that the client own the PrivateKey and that 
it's certificate is trusted. You then match only the PublicKey that's inside the 
certificate, not the certificate itself.

Use cases leading to a security hole in your implementation will certainly by 
awkward and depend a lot on deployment and certification policies but one can 
imagine such a scenario.

We could say the very same about my Simple strategy.

/Paul



Mime
View raw message