Does spring-security-saml v 2.x support certificates revocation check?

[ekaterinasmarp]

Hello,

We are using spring saml 2.0 milestone version. It is stated in documents that there is some kind of support for PKIX profile in saml 1.0: https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#configuration-security-profiles-pkix

Is it still true for 2.0 version? How do I enable this profile?

Thanks for the great library btw :)

[fhanik]

@ekaterinasmarp
That feature is not implemented. But would be fairly straight forward.
It depends on what time you'd want to check the certificate validation?

Is is at the time of exchanging metadata, or at the time of signature validation (which would happen when we check metadata too)?

[ekaterinasmarp]

Thanks for the reply,
I am asking mainly about signature validation step

[fhanik]

signatures are validated.

[ekaterinasmarp]

Is it possible to verify signatures using PKIX profile during validation process? Or is there any other way to enable CRLs check?

[fhanik]

Signature validation is just a mathematical calculation between signing key, content, signature value and the verification key.
the certification revocation step is separate, as all it does is check the certificate independent of the signature, and not implemented at this time.

I do however love pull requests should you want to include it and contribute.

[ekaterinasmarp]

Thanks for the information! I have to think how to implement it (but probably would not start it during next couple of weeks)