Ok cool. Just bear in mind that WSS4J won't wire up the trust chain using individual certs stored in the truststore, the intermediate cert must have the issuing cert stored as part of the certificate chain entry.
Colm. On Tue, Apr 7, 2015 at 1:02 PM, <[email protected]> wrote: > Colm – > > > > That is the case, at least I thought it was. The truststore has certs for > the issuer, intermediate, and root CA, plus a few other miscellaneous > certs. I’ll run it through the debugger later this morning and see what > turns up. > > > > *Stephen W. Chappell* > > > > *From:* Colm O hEigeartaigh [mailto:[email protected]] > *Sent:* Tuesday, April 07, 2015 7:59 AM > *To:* Chappell, Stephen CTR (FAA) > *Cc:* [email protected] > *Subject:* Re: Using a custom CertPathChecker > > > > "getX509Certificates" calls "getCertificates" which (first) calls > "getCertificateChain" on the keystore. Your intermediate CA should have the > issuing CA certs stored as part of the entry in the keystore/truststore. Is > this not the case? Can you debug into getCertificates() and find out why it > is only returning a single cert? > > Colm. > > > > On Fri, Apr 3, 2015 at 3:34 PM, <[email protected]> wrote: > > Colm - > > While I was mucking around in Merlin, I noted that in the "second step" > section of verifyTrust, only the immediate issuer of the cert to be checked > is added to the cert path (at least in my case, when getX509Certificates > only returns a single cert rather than a cert chain). I have a requirement > to validate all the certs in the cert path, which in my case has an > additional intermediate before getting to the trust anchor. I'm able to > loop there and get everything into the cert path, which seems to get > everything revocation checked so that is good. But I was curious why only > the immediate issuer was added to begin with - is there some issue I should > be considering that I'm not? > > There's also an open question (or rather, open disagreement) about > revocation checking the Root CA cert, but this list is probably not the > right place for that discussion. > > Stephen W. Chappell > > -----Original Message----- > > From: Chappell, Stephen CTR (FAA) > Sent: Friday, April 03, 2015 9:56 AM > To: [email protected]; [email protected] > Subject: RE: Using a custom CertPathChecker > > Colm - > > No, I don't have any better suggestions. In fact, subclassing Merlin and > adding a method to configure additional PKIX parameters is exactly what I > did. > > Thanx, > Stephen W. Chappell > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Friday, April 03, 2015 9:47 AM > To: [email protected] > Subject: Re: Using a custom CertPathChecker > > Hi Stephen, > > There is no way to add CertPathCheckers at the moment, beyond subclassing > Merlin and overriding the "verifyTrust" method. I could add a method to > customize the PKIXParameters object though, that could be overridden by a > subclass though which would be better. Or do you have any other suggestions? > > Colm. > > On Tue, Mar 24, 2015 at 8:11 PM, <[email protected]> wrote: > > > I have a requirement to use a custom CertPathChecker in my code. With > > "bare" JVM, I can add the checker to my PKIXParameters and validate away. > > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any > > hooks to add a custom checker or customize the PKIXParameters that are > being used. > > Is there some other means for adding a custom checker to the list that > > isn't so obvious? I could subclass Merlin and sort of brute force it > > in if necessary, but if there's another way to set that up I would > > much rather do that. > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > > -- > > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
