Inside org/springframework/security/saml/trust/X509TrustManager.java line 91 we have an if statement with condition: trustEngine.validate(credential, criteriaSet). this condition is false so the else is executed and the UntrustedCertificateException(sb.toString(), x509Certificates); is thrown. the validate method in our trust engine org/opensaml/xml/security/x509/PKIXX509CredentialTrustEngine.java returns false. Why? it sets trustedNames to null and then checks another if statement which is always true and goes inside if statement executing resolveTrustedNames method. Inside this method creates an empty set with trustBasisCriteria which is empty and adds other which are nothing and returns empty set. so our trustedNames turns to empty instead of null. in return value the validate method gets trusted names as an argument (which now is empty instead of null)
Set<String> trustedNames = null;
if (pkixResolver.supportsTrustedNameResolution()) {
trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria);
} else {
log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
}
return validate(untrustedCredential, trustedNames, pkixResolver.resolve(trustBasisCriteria));
now inside this method there is another if statement:
if (!checkNames(trustedNames, untrustedX509Credential)) {
return false;
}
this tries to check names from trustedNames which now is empty instead of null but the logic inside checkNames is:
if (trustedNames == null) {
return true;
}
but it is not null, it is empty. so instead of true returns false so validation returns false and so on.
Inside
org/springframework/security/saml/trust/X509TrustManager.java
line91
we have an if statement with condition:trustEngine.validate(credential, criteriaSet)
. this condition is false so the else is executed and theUntrustedCertificateException(sb.toString(), x509Certificates);
is thrown. the validate method in our trust engineorg/opensaml/xml/security/x509/PKIXX509CredentialTrustEngine.java
returns false. Why? it setstrustedNames
to null and then checks another if statement which is always true and goes inside if statement executingresolveTrustedNames
method. Inside this method creates an empty set with trustBasisCriteria which is empty and adds other which are nothing and returns empty set. so ourtrustedNames
turns to empty instead of null. in return value thevalidate
method gets trusted names as an argument (which now is empty instead of null)now inside this method there is another if statement:
this tries to check names from
trustedNames
which now is empty instead of null but the logic insidecheckNames
is:but it is not null, it is empty. so instead of true returns false so validation returns false and so on.