Ok I have checked the RFC3280 http://www.ietf.org/rfc/rfc3280.txt which
defined the algorithm implemented by the SUN provider.
So we have a certificate path and a TrustAnchors which must respect the
following constraints:
(a) for all x in {1, ..., n-1}, the subject of certificate x is
the issuer of certificate x+1;
*(b) certificate 1 is issued by the trust anchor;*
(c) certificate n is the certificate to be validated; and
(d) for all x in {1, ..., n}, the certificate was valid at the
time in question.
The problem is the point b. I have noticed that in the certificate path I
have the Intermediate CA as certificate 1 and the client certificate as
certificate 2. In my trust anchor set I got the Intermediate CA.
The problem is that as , the Intermediate CA is not self-signed, b is not
true.
While debugging the Merlin classe I have removed the Intermediate CA from
the path and then everything works fine. I'm using WSS4J 2.0.4 and don't
know if there is a way to fix this by a configuration or a bug(not sure
it's one) fix ?
Best Regards,
Claude
2016-09-29 15:31 GMT+02:00 Claude Libois <[email protected]>:
> With the debug info I get:
> certpath: PKIXCertPathValidator.engineValidate()...
> certpath: AdaptableX509CertSelector.match: subject key IDs don't match.
> *Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80,
> 81, -87, 81, -36, 108, -3, -6, 28] *
>
> *Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99,
> -87, -122, -61, -48, -111, -30, -80, 80, -99]*
> *certpath: NO - don't try this trustedCert*
>
> The first one(Expected) is the root CA and the second one(Cert's) is the
> intermediate CA.
> So it expect that both key identifier are same. I guess to check if it's a
> self-signed ?
> BTW I'm using java 8.
> Best Regards,
> Claude
>
> 2016-09-29 15:02 GMT+02:00 Claude Libois <[email protected]>:
>
>> Well unfortunately that doesn't work. I have debug till Merlin crypto
>> java file and saw that everything looks fine(chain path to check with
>> client cert+intermediate CA and trust anchor on intermediate CA). However
>> the validator seems to have a problem with this and since it's sun code
>> it's a bit harder to find why.
>> * if (provider == null || provider.length() == 0) {*
>> * validator = CertPathValidator.getInstance("PKIX");*
>> * } else {*
>> * validator = CertPathValidator.getInstance("PKIX",
>> provider);*
>> * }*
>> * validator.validate(path, param);*
>> I have decompiled some classe but can't debug since it's part of rt.jar.
>> I have enable the *-Djava.security.debug* and hope I will get usefull
>> info...
>> Claude
>>
>> 2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected]>:
>>
>>> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>:
>>> > Hello,
>>> > This problem might be more related to how java validate certificate
>>> but I
>>> > give a try here.
>>> > My client certificate chain is Root CA>Intermediate CA> client Cert.
>>> > I wish to only trust certificate coming from Intermediate CA and not
>>> the
>>> > Root CA.
>>> > However, I have noticed that the PKI validator(which is the default
>>> one)
>>> > called by the Merlin failed to validate :
>>> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:
>>> Error
>>> > during certificate path validation: Path does not chain with any of the
>>> > trust anchors*
>>> > * at
>>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>>> y.java:160)*
>>> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)*
>>> > * at
>>> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSi
>>> gning.java:87)*
>>> > * at
>>> > client.OffresEmploiClientSigning.main(OffresEmploiClientSign
>>> ing.java:65)*
>>> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
>>> > * at
>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:57)*
>>> > * at
>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)*
>>> > * at java.lang.reflect.Method.invoke(Method.java:606)*
>>> > * at com.intellij.rt.execution.application.AppMain.main(AppMain.j
>>> ava:120)*
>>> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during
>>> certificate
>>> > path validation: Path does not chain with any of the trust anchors*
>>> > * at
>>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce
>>> ptor.unmarshalFault(Soap11FaultInInterceptor.java:86)*
>>> > * at
>>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce
>>> ptor.handleMessage(Soap11FaultInInterceptor.java:52)*
>>> > * at
>>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce
>>> ptor.handleMessage(Soap11FaultInInterceptor.java:41)*
>>> > * at
>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:307)*
>>> > * at
>>> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserv
>>> er.onMessage(AbstractFaultChainInitiatorObserver.java:113)*
>>> > * at
>>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto
>>> r.handleMessage(CheckFaultInterceptor.java:69)*
>>> > * at
>>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto
>>> r.handleMessage(CheckFaultInterceptor.java:34)*
>>> > * at
>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:307)*
>>> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java
>>> :802)*
>>> > * at
>>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.handleResponseInternal(HTTPConduit.java:1645)*
>>> > * at
>>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.handleResponse(HTTPConduit.java:1533)*
>>> > * at
>>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.close(HTTPConduit.java:1336)*
>>> > * at
>>> > org.apache.cxf.transport.AbstractConduit.close(AbstractCondu
>>> it.java:56)*
>>> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.
>>> java:652)*
>>> > * at
>>> > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS
>>> enderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)*
>>> > * at
>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:307)*
>>> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)*
>>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)*
>>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)*
>>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)*
>>> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j
>>> ava:96)*
>>> > * at
>>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx
>>> y.java:138)*
>>> >
>>> > Is there a way to configure validation to trust non-selfsigned CA ?
>>>
>>> I guess that if you import only the Intermediate CA cert into your JKS
>>> as trusted certificate , certificate path validation doesn't required
>>> any more.
>>>
>>>
>>>
>>> > Best Regards,
>>> > Claude
>>>
>>
>>
>
