Colm -
This seems like it should be easier than it is, but can you point me to
a resource for properly building a truststore with a certificate chain?
I have separate keystores and trust stores for the STS, and the
truststore should have a chain something like:
Root CA >>> Intermediate CA >>> Issuing CA
I had thought that if I added them with keytool in the right order,
that keytool would establish a cert chain. Instead it just adds them as
individual certificates with no cert chain to be found.
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, April 07, 2015 8:21 AM
To: [email protected]
Cc: [email protected]
Subject: RE: Using a custom CertPathChecker
Well, that must be the issue. I just ran it through the debugger, and
getCertificateChain is returning null each time. I¹ve added code in my
subclassed Merlin to be able to walk up the tree, but it¹d be more
efficient if the truststore was built properly so I¹ll try to figure
that out.
Stephen W. Chappell
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Tuesday, April 07, 2015 8:12 AM
To: Chappell, Stephen CTR (FAA)
Cc: [email protected]
Subject: Re: Using a custom CertPathChecker
Ok cool. Just bear in mind that WSS4J won't wire up the trust chain
using individual certs stored in the truststore, the intermediate cert
must have the issuing cert stored as part of the certificate chain entry.
Colm.
On Tue, Apr 7, 2015 at 1:02 PM,
<[email protected]<mailto:[email protected]>> wrote:
Colm
That is the case, at least I thought it was. The truststore has certs
for the issuer, intermediate, and root CA, plus a few other
miscellaneous certs. I¹ll run it through the debugger later this
morning and see what turns up.
Stephen W. Chappell
From: Colm O hEigeartaigh
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, April 07, 2015 7:59 AM
To: Chappell, Stephen CTR (FAA)
Cc: [email protected]<mailto:[email protected]>
Subject: Re: Using a custom CertPathChecker
"getX509Certificates" calls "getCertificates" which (first) calls
"getCertificateChain" on the keystore. Your intermediate CA should have
the issuing CA certs stored as part of the entry in the
keystore/truststore. Is this not the case? Can you debug into
getCertificates() and find out why it is only returning a single cert?
Colm.
On Fri, Apr 3, 2015 at 3:34 PM,
<[email protected]<mailto:[email protected]>> wrote:
Colm -
While I was mucking around in Merlin, I noted that in the "second step"
section of verifyTrust, only the immediate issuer of the cert to be
checked is added to the cert path (at least in my case, when
getX509Certificates only returns a single cert rather than a cert chain).
I have a requirement to validate all the certs in the cert path, which
in my case has an additional intermediate before getting to the trust
anchor. I'm able to loop there and get everything into the cert path,
which seems to get everything revocation checked so that is good. But I
was curious why only the immediate issuer was added to begin with - is
there some issue I should be considering that I'm not?
There's also an open question (or rather, open disagreement) about
revocation checking the Root CA cert, but this list is probably not the
right place for that discussion.
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Friday, April 03, 2015 9:56 AM
To: [email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: RE: Using a custom CertPathChecker
Colm -
No, I don't have any better suggestions. In fact, subclassing Merlin
and adding a method to configure additional PKIX parameters is exactly
what I did.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh
[mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, April 03, 2015 9:47 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: Using a custom CertPathChecker
Hi Stephen,
There is no way to add CertPathCheckers at the moment, beyond
subclassing Merlin and overriding the "verifyTrust" method. I could add
a method to customize the PKIXParameters object though, that could be
overridden by a subclass though which would be better. Or do you have
any other suggestions?
Colm.
On Tue, Mar 24, 2015 at 8:11 PM,
<[email protected]<mailto:[email protected]>> wrote:
I have a requirement to use a custom CertPathChecker in my code. With
"bare" JVM, I can add the checker to my PKIXParameters and validate
away.
But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
hooks to add a custom checker or customize the PKIXParameters that are
being used.
Is there some other means for adding a custom checker to the list
that isn't so obvious? I could subclass Merlin and sort of brute
force it in if necessary, but if there's another way to set that up I
would much rather do that.
Stephen W. Chappell
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
