Trust engines fail to trap xmlsec exceptions when key resolver fails
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
The trust engines usually rely on xmlsec KeyResolver classes that call into openssl wrappers to parse certificates and keys, and the wrappers can throw XSECCryptoExceptions, which aren't caught. Under some conditions, they'll crash shibd.
The underlying problem of a bad cert won't be corrected by the fix, but the error can be safely trapped.
The trust engines usually rely on xmlsec KeyResolver classes that call into openssl wrappers to parse certificates and keys, and the wrappers can throw XSECCryptoExceptions, which aren't caught. Under some conditions, they'll crash shibd.
The underlying problem of a bad cert won't be corrected by the fix, but the error can be safely trapped.