Well unfortunately that doesn't work. I have debug till Merlin crypto java
file and saw that everything looks fine(chain path to check with client
cert+intermediate CA and trust anchor on intermediate CA). However the
validator seems to have a problem with this and since it's sun code it's a
bit harder to find why.
* if (provider == null || provider.length() == 0) {*
* validator = CertPathValidator.getInstance("PKIX");*
* } else {*
* validator = CertPathValidator.getInstance("PKIX",
provider);*
* }*
* validator.validate(path, param);*
I have decompiled some classe but can't debug since it's part of rt.jar. I
have enable the *-Djava.security.debug* and hope I will get usefull info...
Claude
2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected]>:
> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>:
> > Hello,
> > This problem might be more related to how java validate certificate but I
> > give a try here.
> > My client certificate chain is Root CA>Intermediate CA> client Cert.
> > I wish to only trust certificate coming from Intermediate CA and not the
> > Root CA.
> > However, I have noticed that the PKI validator(which is the default one)
> > called by the Merlin failed to validate :
> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Error
> > during certificate path validation: Path does not chain with any of the
> > trust anchors*
> > * at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)*
> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)*
> > * at
> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSigning.
> java:87)*
> > * at
> > client.OffresEmploiClientSigning.main(OffresEmploiClientSigning.
> java:65)*
> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
> > * at
> > sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:57)*
> > * at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)*
> > * at java.lang.reflect.Method.invoke(Method.java:606)*
> > * at com.intellij.rt.execution.application.AppMain.main(
> AppMain.java:120)*
> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during
> certificate
> > path validation: Path does not chain with any of the trust anchors*
> > * at
> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.
> unmarshalFault(Soap11FaultInInterceptor.java:86)*
> > * at
> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.
> handleMessage(Soap11FaultInInterceptor.java:52)*
> > * at
> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.
> handleMessage(Soap11FaultInInterceptor.java:41)*
> > * at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:307)*
> > * at
> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObs
> erver.onMessage(AbstractFaultChainInitiatorObserver.java:113)*
> > * at
> > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
> handleMessage(CheckFaultInterceptor.java:69)*
> > * at
> > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.
> handleMessage(CheckFaultInterceptor.java:34)*
> > * at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:307)*
> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)*
> > * at
> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
> handleResponseInternal(HTTPConduit.java:1645)*
> > * at
> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
> handleResponse(HTTPConduit.java:1533)*
> > * at
> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(
> HTTPConduit.java:1336)*
> > * at
> > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)*
> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.
> java:652)*
> > * at
> > org.apache.cxf.interceptor.MessageSenderInterceptor$
> MessageSenderEndingInterceptor.handleMessage(
> MessageSenderInterceptor.java:62)*
> > * at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:307)*
> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)*
> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)*
> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)*
> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)*
> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(
> ClientProxy.java:96)*
> > * at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)*
> >
> > Is there a way to configure validation to trust non-selfsigned CA ?
>
> I guess that if you import only the Intermediate CA cert into your JKS
> as trusted certificate , certificate path validation doesn't required
> any more.
>
>
>
> > Best Regards,
> > Claude
>
