Thanks for the answer, Is there something like wss.subject.cert.constraints that could add a constraint on the issuer DN ? Best Regards, Claude
2016-09-30 12:04 GMT+02:00 Colm O hEigeartaigh <[email protected]>: > I think the best way to proceed is to have both the root and intermediate > CA in the truststore. Then override the SignatureTrustValidator in WSS4J to > specify a constraint on the Issuer DN of the certificate (after validating > the cert path as normal), to make sure that it's the Intermediate > Certificate that's the Issuer and not the root cert. > > Colm. > > On Fri, Sep 30, 2016 at 10:36 AM, Claude Libois <[email protected]> > wrote: > > > Ok I have checked the RFC3280 http://www.ietf.org/rfc/rfc3280.txt which > > defined the algorithm implemented by the SUN provider. > > So we have a certificate path and a TrustAnchors which must respect the > > following constraints: > > > > (a) for all x in {1, ..., n-1}, the subject of certificate x is > > the issuer of certificate x+1; > > *(b) certificate 1 is issued by the trust anchor;* > > (c) certificate n is the certificate to be validated; and > > > > (d) for all x in {1, ..., n}, the certificate was valid at the > > time in question. > > > > The problem is the point b. I have noticed that in the certificate path > I > > have the Intermediate CA as certificate 1 and the client certificate as > > certificate 2. In my trust anchor set I got the Intermediate CA. > > The problem is that as , the Intermediate CA is not self-signed, b is not > > true. > > While debugging the Merlin classe I have removed the Intermediate CA from > > the path and then everything works fine. I'm using WSS4J 2.0.4 and don't > > know if there is a way to fix this by a configuration or a bug(not sure > > it's one) fix ? > > Best Regards, > > Claude > > > > > > > > 2016-09-29 15:31 GMT+02:00 Claude Libois <[email protected]>: > > > > > With the debug info I get: > > > certpath: PKIXCertPathValidator.engineValidate()... > > > certpath: AdaptableX509CertSelector.match: subject key IDs don't > match. > > > *Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, > > -80, > > > 81, -87, 81, -36, 108, -3, -6, 28] * > > > > > > *Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99, > > > -87, -122, -61, -48, -111, -30, -80, 80, -99]* > > > *certpath: NO - don't try this trustedCert* > > > > > > The first one(Expected) is the root CA and the second one(Cert's) is > the > > > intermediate CA. > > > So it expect that both key identifier are same. I guess to check if > it's > > a > > > self-signed ? > > > BTW I'm using java 8. > > > Best Regards, > > > Claude > > > > > > 2016-09-29 15:02 GMT+02:00 Claude Libois <[email protected]>: > > > > > >> Well unfortunately that doesn't work. I have debug till Merlin crypto > > >> java file and saw that everything looks fine(chain path to check with > > >> client cert+intermediate CA and trust anchor on intermediate CA). > > However > > >> the validator seems to have a problem with this and since it's sun > code > > >> it's a bit harder to find why. > > >> * if (provider == null || provider.length() == 0) {* > > >> * validator = CertPathValidator.getInstance("PKIX");* > > >> * } else {* > > >> * validator = CertPathValidator.getInstance("PKIX", > > >> provider);* > > >> * }* > > >> * validator.validate(path, param);* > > >> I have decompiled some classe but can't debug since it's part of > rt.jar. > > >> I have enable the *-Djava.security.debug* and hope I will get usefull > > >> info... > > >> Claude > > >> > > >> 2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected] > >: > > >> > > >>> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>: > > >>> > Hello, > > >>> > This problem might be more related to how java validate certificate > > >>> but I > > >>> > give a try here. > > >>> > My client certificate chain is Root CA>Intermediate CA> client > Cert. > > >>> > I wish to only trust certificate coming from Intermediate CA and > not > > >>> the > > >>> > Root CA. > > >>> > However, I have noticed that the PKI validator(which is the default > > >>> one) > > >>> > called by the Merlin failed to validate : > > >>> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: > > >>> Error > > >>> > during certificate path validation: Path does not chain with any of > > the > > >>> > trust anchors* > > >>> > * at > > >>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx > > >>> y.java:160)* > > >>> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)* > > >>> > * at > > >>> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSi > > >>> gning.java:87)* > > >>> > * at > > >>> > client.OffresEmploiClientSigning.main(OffresEmploiClientSign > > >>> ing.java:65)* > > >>> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* > > >>> > * at > > >>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce > > >>> ssorImpl.java:57)* > > >>> > * at > > >>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe > > >>> thodAccessorImpl.java:43)* > > >>> > * at java.lang.reflect.Method.invoke(Method.java:606)* > > >>> > * at com.intellij.rt.execution.application.AppMain.main(AppMain.j > > >>> ava:120)* > > >>> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during > > >>> certificate > > >>> > path validation: Path does not chain with any of the trust anchors* > > >>> > * at > > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce > > >>> ptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* > > >>> > * at > > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce > > >>> ptor.handleMessage(Soap11FaultInInterceptor.java:52)* > > >>> > * at > > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce > > >>> ptor.handleMessage(Soap11FaultInInterceptor.java:41)* > > >>> > * at > > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > > >>> InterceptorChain.java:307)* > > >>> > * at > > >>> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserv > > >>> er.onMessage(AbstractFaultChainInitiatorObserver.java:113)* > > >>> > * at > > >>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto > > >>> r.handleMessage(CheckFaultInterceptor.java:69)* > > >>> > * at > > >>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto > > >>> r.handleMessage(CheckFaultInterceptor.java:34)* > > >>> > * at > > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > > >>> InterceptorChain.java:307)* > > >>> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java > > >>> :802)* > > >>> > * at > > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > > >>> m.handleResponseInternal(HTTPConduit.java:1645)* > > >>> > * at > > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > > >>> m.handleResponse(HTTPConduit.java:1533)* > > >>> > * at > > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > > >>> m.close(HTTPConduit.java:1336)* > > >>> > * at > > >>> > org.apache.cxf.transport.AbstractConduit.close(AbstractCondu > > >>> it.java:56)* > > >>> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit. > > >>> java:652)* > > >>> > * at > > >>> > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS > > >>> enderEndingInterceptor.handleMessage(MessageSenderInterceptor.java: > > 62)* > > >>> > * at > > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > > >>> InterceptorChain.java:307)* > > >>> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke( > > ClientImpl.java:516)* > > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl. > java:425)* > > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl. > java:326)* > > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl. > java:279)* > > >>> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j > > >>> ava:96)* > > >>> > * at > > >>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx > > >>> y.java:138)* > > >>> > > > >>> > Is there a way to configure validation to trust non-selfsigned CA ? > > >>> > > >>> I guess that if you import only the Intermediate CA cert into your > JKS > > >>> as trusted certificate , certificate path validation doesn't > required > > >>> any more. > > >>> > > >>> > > >>> > > >>> > Best Regards, > > >>> > Claude > > >>> > > >> > > >> > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
