Hi Marcin, You can't get the KeyStore object from the Crypto interface any more, as the Crypto interface is meant to represent an implementation independent way of obtaining certificates, etc. However, the default implementation, which is Merlin, has a "getKeyStore()" method, so you could just cast the Crypto object to Merlin and you should be set.
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?view=markup Having said that, there's no reason the Crypto interface can't supply all of the certificates, so if you want to open a JIRA against 1.6.1 for this then feel free to do so. By the way, Merlin has it's own "verifyTrust" implementation, which takes care of validating the certificate chain, except it doesn't use CRLs. It's something I've been meaning to look in to, but haven't had the time - I'm not sure off-hand why CRL revocation is turned off. If it were turned on, would that functionality suit your needs? Colm. On Thu, Apr 14, 2011 at 2:44 PM, <[email protected]> wrote: > Hello, > > I'm currently trying to migrate my project from wssj4 1.5.x to 1.6. But I > encountered problems with the new Crypto Interface. In the old version it > was possible to get all Certificates from the keystore (by getting the > KeyStore and so on). But now it is not possible anymore. I can get the > Certificates by type (alian, DN, Hash,...), but I can't get all of them. > Or maybe I just don't see the proper method... > > My second issue: if I want do validate the trust chain, then I can use the > new method "Crypto.verifyTrust(...)". But it does not check the CRLs. What > have I to do to check the CRLs? > Up to wss4j 1.5 I coult get the KeyStore from the Crypto and then pass it to > the "CertPathValidator" (beside some other needed params). But now I can't > get the KeyStore... > > Can some one help me with this issues? > > Here are some snippets from my code for better understanding of this two > problems: > 1) - iterating over all certificates: > ... > Enumeration aliases = crypto.getKeyStore().aliases(); // <- I can't get the > keystore now... > while (aliases.hasMoreElements()) > { > String debugAlias = aliases.nextElement().toString(); > X509Certificate[] debugCertificates = crypto.getCertificates(debugAlias); > ... > } > > 2) - validating the certificate trust chain. with CRLs: > ... > CertPath path = crypto.getCertificateFactory().generateCertPath(certList); > // <- List<X509Certificate>... > PKIXParameters param = new PKIXParameters(crypto.getKeyStore()); // <- I > can't get the keystore now... > param.addCertStore(crlCertStore); > param.setRevocationEnabled(true); > CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"); > CertPathValidatorResult result = certPathValidator.validate(path, param); > ... > > If I could get the KeyStore, then both my problem would be solved. If I > could get all Certificates, then they would be solved too - in the second > case I can genereate a set of TrustAnchors from the certificates and pass it > to the PKIXParameters. > > Greetings, > Marcin Markiewicz > > > > ---------------------------------------------------------------------------------------------------------------------------------------------- > > Fiducia IT AG > Fiduciastraße 20 > 76227 Karlsruhe > > Sitz der Gesellschaft: Karlsruhe > AG Mannheim HRB 100059 > > Vorsitzender des Aufsichtsrats: Gregor Scheller > Vorsitzender des Vorstands: Michael Krings > Stellv. Vorsitzender des Vorstands: Klaus-Peter Bruns > Vorstand: Jens-Olaf Bartels, Hans-Peter Straberger > > Umsatzsteuer-ID.Nr. DE143582320, http://www.fiducia.de > ---------------------------------------------------------------------------------------------------------------------------------------------- > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
