[
https://issues.apache.org/jira/browse/WSS-520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533726#comment-17533726
]
Philip Helger commented on WSS-520:
-----------------------------------
This problem occurs, if the signing certificate in the keystore is a key entry,
that is not having the full chain in it.
See the following screenshot from KeyStore explorer with a broken key entry:
!image-2022-05-09-11-42-05-503.png!
To correct the error, the addition of a hierarchy is needed. Then the key entry
details should look like this:
!image-2022-05-09-11-44-14-940.png!
Of course using the correct "chain" and not the one depicted in the image.
The latest version of Keystore explorer has a nice feature to easily append a
certificate to the chain:
!image-2022-05-09-11-46-06-921.png!
>From the above example, first append the "TeleSec Business CA 21" trusted
>certificate, and then the "T-TeleSec GlobalRoot Class 2" certificate. Repeat
>this game until you are at the top. Don't forget to save your keystore
>afterwards.
> Searching in wrong path for the message.
> ----------------------------------------
>
> Key: WSS-520
> URL: https://issues.apache.org/jira/browse/WSS-520
> Project: WSS4J
> Issue Type: Bug
> Reporter: renu
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Attachments: image-2022-05-09-11-42-05-503.png,
> image-2022-05-09-11-44-14-940.png, image-2022-05-09-11-46-06-921.png
>
>
> Getting exception:
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: No message with
> ID "certpath" found in resource bundle
> "org/apache/xml/security/resource/xmlsecurity". Original Exception was a
> java.security.cert.CertPathValidatorException and message basic constraints
> check failed: this is not a CA certificate
> Original Exception was java.security.cert.CertPathValidatorException: basic
> constraints check failed: this is not a CA certificate
> at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:933)
> at
> org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:108)
>
> at
> org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
>
> at
> org.apache.wss4j.dom.validate.SamlAssertionValidator.verifySignedAssertion(SamlAssertionValidator.java:130)
>
> at
> org.apache.wss4j.dom.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:109)
>
> Instead of searching the message in the resource bundle of wss4j , message is
> searched in xml security and thus causing the exception.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
