RE: How to use multiple CRL with WSS4J ?
Many Thanks for confirming the implementation for only X509 Martin Gainty __ From: cohei...@apache.org Date: Fri, 30 Sep 2016 16:40:42 +0100 Subject: Re: How to use multiple CRL with WSS4J ? To: users@ws.apache.org Martin, are you referring to the missing "PKCS7"? Merlin is designed to work with X.509 certificates, so it doesn't apply here. Colm. On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <mgai...@hotmail.com> wrote: From: cohei...@apache.org Date: Fri, 30 Sep 2016 15:42:53 +0100 Subject: Re: How to use multiple CRL with WSS4J ? To: users@ws.apache.org Yes please do a pull request, or create a JIRA and attach the diff there. Colm. On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.w...@gmail.com> wrote: Ok found your github. Will do a pull request. 2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.w...@gmail.com>: New version with the trim() correctly done after the split not before... 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.w...@gmail.com>: Found that it was not possible with Merlin cause it only allow to define a single CRL File.I have done a quick change that enable a comma separated list of crl.Here is the change. Can someone review it and if it's ok add it to the official source code ?//// Load the CRL file//String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);if (crlLocations != null) {crlLocations = crlLocations.trim(); String[] splittedCrlsLocation=crlLocations.split(","); List crls=new ArrayList();for (int i = 0; i < splittedCrlsLocation.length; i++) {String crlLocation = splittedCrlsLocation[i];InputStream is = loadInputStream(loader, crlLocation); try {CertificateFactory cf = getCertificateFactory();X509CRL crl = (X509CRL)cf.generateCRL(is);crls.add(crl);} catch (Exception e) {if (DO_DEBUG) { LOG.debug(e.getMessage(), e);}throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e); } finally {if (is != null) { is.close();}}} try {if (provider == null || provider.length() == 0) { crlCertStore =CertStore.getInstance( "Collection", new CollectionCertStoreParameters(crls)); } else {crlCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls), provider); }} catch (Exception e) {if (DO_DEBUG) { LOG.debug(e.getMessage(), e);}throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e); }if (DO_DEBUG) {LOG.debug( "The CRL " + crlLocations + " has been loaded"); } MG> Merlin.java List certList = Arrays.asList(x509certs); CertPath path = getCertificateFactory().generateCertPath(certList); MG>what I see from IBM: FileInputStream fis = new FileInputStream(filename); // instantiate a CertificateFactory for X.509 CertificateFactory cf = CertificateFactory.getInstance("X.509"); // extract the certification path from // the PKCS7 SignedData structure CertPath cp = cf.generateCertPath(fis, "PKCS7"); MG>is IBM doc incorrect? http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/com.ibm.java.security.component.71.doc/security-component/certpathDocs/certificatefactory.html Best Regards,Claude 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.w...@gmail.com>: Hi,I got the following pki chain Root CA>Intermediate CA>Client signing certificate A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA. However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).However, I don't know how to specify multiple CRL in WSS4J or if
Re: How to use multiple CRL with WSS4J ?
Yes please do a pull request, or create a JIRA and attach the diff there. Colm. On Fri, Sep 30, 2016 at 3:23 PM, Claude Liboiswrote: > Ok found your github. Will do a pull request. > > 2016-09-30 16:19 GMT+02:00 Claude Libois : > >> New version with the trim() correctly done after the split not before... >> >> >> 2016-09-30 16:04 GMT+02:00 Claude Libois : >> >>> Found that it was not possible with Merlin cause it only allow to define >>> a single CRL File. >>> I have done a quick change that enable a comma separated list of crl. >>> Here is the change. Can someone review it and if it's ok add it to the >>> official source code ? >>> // >>> // Load the CRL file >>> // >>> String crlLocations = properties.getProperty(prefix + >>> X509_CRL_FILE); >>> if (crlLocations != null) { >>> crlLocations = crlLocations.trim(); >>> String[] splittedCrlsLocation=crlLocations.split(","); >>> List crls=new ArrayList(); >>> for (int i = 0; i < splittedCrlsLocation.length; i++) { >>> String crlLocation = splittedCrlsLocation[i]; >>> InputStream is = loadInputStream(loader, crlLocation); >>> >>> try { >>> CertificateFactory cf = getCertificateFactory(); >>> X509CRL crl = (X509CRL)cf.generateCRL(is); >>> crls.add(crl); >>> } catch (Exception e) { >>> if (DO_DEBUG) { >>> LOG.debug(e.getMessage(), e); >>> } >>> throw new >>> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >>> "ioError00", e); >>> } finally { >>> if (is != null) { >>> is.close(); >>> } >>> } >>> } >>> try { >>> if (provider == null || provider.length() == 0) { >>> crlCertStore = >>> CertStore.getInstance( >>> "Collection", >>> new CollectionCertStoreParameters( >>> crls) >>> ); >>> >>> } else { >>> crlCertStore = >>> CertStore.getInstance( >>> "Collection", >>> new CollectionCertStoreParameters( >>> crls), >>> provider >>> ); >>> } >>> } catch (Exception e) { >>> if (DO_DEBUG) { >>> LOG.debug(e.getMessage(), e); >>> } >>> throw new >>> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >>> "ioError00", e); >>> } >>> if (DO_DEBUG) { >>> LOG.debug( >>> "The CRL " + crlLocations + " has been loaded" >>> ); >>> } >>> Best Regards, >>> Claude >>> >>> 2016-09-30 15:14 GMT+02:00 Claude Libois : >>> Hi, I got the following pki chain Root CA>Intermediate CA>Client signing certificate A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA. However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate. I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root). However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ? I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided. The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed... Best Regards, Claude >>> >>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Re: How to use multiple CRL with WSS4J ?
Ok found your github. Will do a pull request. 2016-09-30 16:19 GMT+02:00 Claude Libois: > New version with the trim() correctly done after the split not before... > > > 2016-09-30 16:04 GMT+02:00 Claude Libois : > >> Found that it was not possible with Merlin cause it only allow to define >> a single CRL File. >> I have done a quick change that enable a comma separated list of crl. >> Here is the change. Can someone review it and if it's ok add it to the >> official source code ? >> // >> // Load the CRL file >> // >> String crlLocations = properties.getProperty(prefix + >> X509_CRL_FILE); >> if (crlLocations != null) { >> crlLocations = crlLocations.trim(); >> String[] splittedCrlsLocation=crlLocations.split(","); >> List crls=new ArrayList(); >> for (int i = 0; i < splittedCrlsLocation.length; i++) { >> String crlLocation = splittedCrlsLocation[i]; >> InputStream is = loadInputStream(loader, crlLocation); >> >> try { >> CertificateFactory cf = getCertificateFactory(); >> X509CRL crl = (X509CRL)cf.generateCRL(is); >> crls.add(crl); >> } catch (Exception e) { >> if (DO_DEBUG) { >> LOG.debug(e.getMessage(), e); >> } >> throw new >> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >> "ioError00", e); >> } finally { >> if (is != null) { >> is.close(); >> } >> } >> } >> try { >> if (provider == null || provider.length() == 0) { >> crlCertStore = >> CertStore.getInstance( >> "Collection", >> new CollectionCertStoreParameters( >> crls) >> ); >> >> } else { >> crlCertStore = >> CertStore.getInstance( >> "Collection", >> new CollectionCertStoreParameters( >> crls), >> provider >> ); >> } >> } catch (Exception e) { >> if (DO_DEBUG) { >> LOG.debug(e.getMessage(), e); >> } >> throw new >> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >> "ioError00", e); >> } >> if (DO_DEBUG) { >> LOG.debug( >> "The CRL " + crlLocations + " has been loaded" >> ); >> } >> Best Regards, >> Claude >> >> 2016-09-30 15:14 GMT+02:00 Claude Libois : >> >>> Hi, >>> I got the following pki chain Root CA>Intermediate CA>Client signing >>> certificate >>> A suggested by Colm, I have set in my truststore my Intermediate CA and >>> my Root CA. >>> However, by doing this, CRL verification doesn't work. In fact, it seems >>> to validate my Intermediate CA against the Root CA crl while I'm only >>> interested to verify the client certificate. >>> I'm not sure how revocation validation works but it seems to validate >>> CRL for every certificate(except the Root). >>> However, I don't know how to specify multiple CRL in WSS4J or if it >>> possible to merge 2 crl files into a common one ? >>> I have provided 2 logs. The first one with the Intermediate CA CRL. We >>> can see that validation of the Intermediate CA against Root CRL failed >>> since it's not provided. >>> The second one is with the Root CA CRL. Intermediate CA validation >>> succeed but the signing certificate then failed... >>> >>> Best Regards, >>> Claude >>> >> >> >
Re: How to use multiple CRL with WSS4J ?
Found that it was not possible with Merlin cause it only allow to define a single CRL File. I have done a quick change that enable a comma separated list of crl. Here is the change. Can someone review it and if it's ok add it to the official source code ? // // Load the CRL file // String crlLocations = properties.getProperty(prefix + X509_CRL_FILE); if (crlLocations != null) { crlLocations = crlLocations.trim(); String[] splittedCrlsLocation=crlLocations.split(","); List crls=new ArrayList(); for (int i = 0; i < splittedCrlsLocation.length; i++) { String crlLocation = splittedCrlsLocation[i]; InputStream is = loadInputStream(loader, crlLocation); try { CertificateFactory cf = getCertificateFactory(); X509CRL crl = (X509CRL)cf.generateCRL(is); crls.add(crl); } catch (Exception e) { if (DO_DEBUG) { LOG.debug(e.getMessage(), e); } throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e); } finally { if (is != null) { is.close(); } } } try { if (provider == null || provider.length() == 0) { crlCertStore = CertStore.getInstance( "Collection", new CollectionCertStoreParameters(crls) ); } else { crlCertStore = CertStore.getInstance( "Collection", new CollectionCertStoreParameters(crls), provider ); } } catch (Exception e) { if (DO_DEBUG) { LOG.debug(e.getMessage(), e); } throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e); } if (DO_DEBUG) { LOG.debug( "The CRL " + crlLocations + " has been loaded" ); } Best Regards, Claude 2016-09-30 15:14 GMT+02:00 Claude Libois: > Hi, > I got the following pki chain Root CA>Intermediate CA>Client signing > certificate > A suggested by Colm, I have set in my truststore my Intermediate CA and my > Root CA. > However, by doing this, CRL verification doesn't work. In fact, it seems > to validate my Intermediate CA against the Root CA crl while I'm only > interested to verify the client certificate. > I'm not sure how revocation validation works but it seems to validate CRL > for every certificate(except the Root). > However, I don't know how to specify multiple CRL in WSS4J or if it > possible to merge 2 crl files into a common one ? > I have provided 2 logs. The first one with the Intermediate CA CRL. We can > see that validation of the Intermediate CA against Root CRL failed since > it's not provided. > The second one is with the Root CA CRL. Intermediate CA validation succeed > but the signing certificate then failed... > > Best Regards, > Claude > /** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.wss4j.common.crypto; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.InvalidAlgorithmParameterException; import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.UnrecoverableKeyException; import java.security.cert.CertPath; import java.security.cert.CertPathValidator; import java.security.cert.CertStore; import