"getX509Certificates" calls "getCertificates" which (first) calls "getCertificateChain" on the keystore. Your intermediate CA should have the issuing CA certs stored as part of the entry in the keystore/truststore. Is this not the case? Can you debug into getCertificates() and find out why it is only returning a single cert?
Colm. On Fri, Apr 3, 2015 at 3:34 PM, <[email protected]> wrote: > Colm - > > While I was mucking around in Merlin, I noted that in the "second step" > section of verifyTrust, only the immediate issuer of the cert to be checked > is added to the cert path (at least in my case, when getX509Certificates > only returns a single cert rather than a cert chain). I have a requirement > to validate all the certs in the cert path, which in my case has an > additional intermediate before getting to the trust anchor. I'm able to > loop there and get everything into the cert path, which seems to get > everything revocation checked so that is good. But I was curious why only > the immediate issuer was added to begin with - is there some issue I should > be considering that I'm not? > > There's also an open question (or rather, open disagreement) about > revocation checking the Root CA cert, but this list is probably not the > right place for that discussion. > > Stephen W. Chappell > > -----Original Message----- > From: Chappell, Stephen CTR (FAA) > Sent: Friday, April 03, 2015 9:56 AM > To: [email protected]; [email protected] > Subject: RE: Using a custom CertPathChecker > > Colm - > > No, I don't have any better suggestions. In fact, subclassing Merlin and > adding a method to configure additional PKIX parameters is exactly what I > did. > > Thanx, > Stephen W. Chappell > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Friday, April 03, 2015 9:47 AM > To: [email protected] > Subject: Re: Using a custom CertPathChecker > > Hi Stephen, > > There is no way to add CertPathCheckers at the moment, beyond subclassing > Merlin and overriding the "verifyTrust" method. I could add a method to > customize the PKIXParameters object though, that could be overridden by a > subclass though which would be better. Or do you have any other suggestions? > > Colm. > > On Tue, Mar 24, 2015 at 8:11 PM, <[email protected]> wrote: > > > I have a requirement to use a custom CertPathChecker in my code. With > > "bare" JVM, I can add the checker to my PKIXParameters and validate away. > > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any > > hooks to add a custom checker or customize the PKIXParameters that are > being used. > > Is there some other means for adding a custom checker to the list that > > isn't so obvious? I could subclass Merlin and sort of brute force it > > in if necessary, but if there's another way to set that up I would > > much rather do that. > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
