Ok found your github. Will do a pull request. 2016-09-30 16:19 GMT+02:00 Claude Libois <[email protected]>:
> New version with the trim() correctly done after the split not before... > > > 2016-09-30 16:04 GMT+02:00 Claude Libois <[email protected]>: > >> Found that it was not possible with Merlin cause it only allow to define >> a single CRL File. >> I have done a quick change that enable a comma separated list of crl. >> Here is the change. Can someone review it and if it's ok add it to the >> official source code ? >> // >> // Load the CRL file >> // >> String crlLocations = properties.getProperty(prefix + >> X509_CRL_FILE); >> if (crlLocations != null) { >> crlLocations = crlLocations.trim(); >> String[] splittedCrlsLocation=crlLocations.split(","); >> List<X509CRL> crls=new ArrayList(); >> for (int i = 0; i < splittedCrlsLocation.length; i++) { >> String crlLocation = splittedCrlsLocation[i]; >> InputStream is = loadInputStream(loader, crlLocation); >> >> try { >> CertificateFactory cf = getCertificateFactory(); >> X509CRL crl = (X509CRL)cf.generateCRL(is); >> crls.add(crl); >> } catch (Exception e) { >> if (DO_DEBUG) { >> LOG.debug(e.getMessage(), e); >> } >> throw new >> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >> "ioError00", e); >> } finally { >> if (is != null) { >> is.close(); >> } >> } >> } >> try { >> if (provider == null || provider.length() == 0) { >> crlCertStore = >> CertStore.getInstance( >> "Collection", >> new CollectionCertStoreParameters( >> crls) >> ); >> >> } else { >> crlCertStore = >> CertStore.getInstance( >> "Collection", >> new CollectionCertStoreParameters( >> crls), >> provider >> ); >> } >> } catch (Exception e) { >> if (DO_DEBUG) { >> LOG.debug(e.getMessage(), e); >> } >> throw new >> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >> "ioError00", e); >> } >> if (DO_DEBUG) { >> LOG.debug( >> "The CRL " + crlLocations + " has been loaded" >> ); >> } >> Best Regards, >> Claude >> >> 2016-09-30 15:14 GMT+02:00 Claude Libois <[email protected]>: >> >>> Hi, >>> I got the following pki chain Root CA>Intermediate CA>Client signing >>> certificate >>> A suggested by Colm, I have set in my truststore my Intermediate CA and >>> my Root CA. >>> However, by doing this, CRL verification doesn't work. In fact, it seems >>> to validate my Intermediate CA against the Root CA crl while I'm only >>> interested to verify the client certificate. >>> I'm not sure how revocation validation works but it seems to validate >>> CRL for every certificate(except the Root). >>> However, I don't know how to specify multiple CRL in WSS4J or if it >>> possible to merge 2 crl files into a common one ? >>> I have provided 2 logs. The first one with the Intermediate CA CRL. We >>> can see that validation of the Intermediate CA against Root CRL failed >>> since it's not provided. >>> The second one is with the Root CA CRL. Intermediate CA validation >>> succeed but the signing certificate then failed... >>> >>> Best Regards, >>> Claude >>> >> >> >
