no check that openid.signed contains mandatory fields

[GoogleCodeExporter]

What steps will reproduce the problem?

an attacker can arbitrarily choose the value of openid.signed (including the 
empty list). the signature thus becomes the signature of the empty string. this 
issue might not be directly explotable, but the current implementation does at 
least not comply with the OpenID specification.

What is the expected output? What do you see instead?

expected: check for mandatory fields in openid.signed (see below for list of 
fields).
actual: no check on openid.signed is performed.

What version of the product are you using? On what operating system?

JOpendID-1.07

Please provide any additional information below.

http://openid.net/specs/openid-authentication-2_0.html#positive_assertions
openid.signed: This list MUST contain at least "op_endpoint", "return_to" 
"response_nonce" and "assoc_handle", and if present in the response, 
"claimed_id" and "identity".

Original issue reported on code.google.com by cb%doodl...@gtempaccount.com on 15 Sep 2010 at 9:59

[GoogleCodeExporter]

i want to use openid concept with Single sign on for my application. So which 
one i should use Jopenid or openid4java ???. which one is most used these days 
and which one is latest ??. 

Original comment by mandeepk...@gmail.com on 20 Apr 2012 at 9:32