org.jscep.server.ScepServlet doesn't validate CA/RA certificates returned by implementation.

acciduck / jscep

Automatically exported from code.google.com/p/jscep

MIT License

0 stars 0 forks source link

org.jscep.server.ScepServlet doesn't validate CA/RA certificates returned by implementation. #34

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

I created implementation of ScepServer. I returned CA certificate and RA 
certificate (encryption only) from method doGetCaCertificate. Apparently, I 
forgot to add RA certificate (digital signature). 

The SCEP client was iPhone device and it was kind of hard to figure out why it 
didn't like it.

It would be nice to do add validation in class ScepServlet in the method 
doGetCaCert that one of three possibilities is used:
a) CA only cert returned
b) CA cert and RA cert (both for encryption and signing) returned
c) CA cert and 2 RA certs (one for encryption and one for signing) returned

I believe similar code for such validation exist in org.jscep.client.Client 
method selectRecepient.

Original issue reported on code.google.com by victor.r...@gmail.com on 11 May 2011 at 9:11

GoogleCodeExporter commented 8 years ago

The behaviour on the client-side is a required step needed to talk to the 
server.  Adding this sort of behaviour on the server-side would only serve to 
check for programming errors, so I don't think it's essential.

Original comment by davidgrant41 on 12 May 2011 at 4:51

Changed state: WontFix

GoogleCodeExporter commented 8 years ago

Original comment by davidgrant41 on 13 May 2011 at 9:28

Added labels: Milestone-Release1.2

GoogleCodeExporter commented 8 years ago

I agree that this logic will serve only for purpose of checking programming 
errors. 
And I believe it's reasonably low priority thing (comparing to real bugs and 
new feature).

However, I disagree that it's not essential.

I think the validation of returned values (in this case) is equivalent of 
validation of arguments (which is quite important for external API).

It could save somebody quite a lot of time, if he/she will stumble on the same 
problem.

P.S. Just wanted to share my thoughts. I understand if you decide to keep 
status of this improvement as WontFix.

Original comment by victor.r...@gmail.com on 16 May 2011 at 5:58

GoogleCodeExporter commented 8 years ago

OK, I think your argument makes a case for further consideration.  I won't 
schedule it for a specific release now: there's probably a bit of work to do to 
ensure other arguments are also checked for the sake of consistency.

Original comment by davidgrant41 on 16 May 2011 at 6:41

Changed state: Accepted
Removed labels: Milestone-Release1.2

GoogleCodeExporter commented 8 years ago

Thanks.

Original comment by victor.r...@gmail.com on 16 May 2011 at 8:59

GoogleCodeExporter commented 8 years ago

Original comment by da...@grant.org.uk on 13 Jul 2011 at 6:37

GoogleCodeExporter commented 8 years ago

Original comment by da...@grant.org.uk on 23 Aug 2011 at 8:14

Added labels: Component-Server