Yes please do a pull request, or create a JIRA and attach the diff there. Colm.
On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <[email protected]> wrote: > Ok found your github. Will do a pull request. > > 2016-09-30 16:19 GMT+02:00 Claude Libois <[email protected]>: > >> New version with the trim() correctly done after the split not before... >> >> >> 2016-09-30 16:04 GMT+02:00 Claude Libois <[email protected]>: >> >>> Found that it was not possible with Merlin cause it only allow to define >>> a single CRL File. >>> I have done a quick change that enable a comma separated list of crl. >>> Here is the change. Can someone review it and if it's ok add it to the >>> official source code ? >>> // >>> // Load the CRL file >>> // >>> String crlLocations = properties.getProperty(prefix + >>> X509_CRL_FILE); >>> if (crlLocations != null) { >>> crlLocations = crlLocations.trim(); >>> String[] splittedCrlsLocation=crlLocations.split(","); >>> List<X509CRL> crls=new ArrayList(); >>> for (int i = 0; i < splittedCrlsLocation.length; i++) { >>> String crlLocation = splittedCrlsLocation[i]; >>> InputStream is = loadInputStream(loader, crlLocation); >>> >>> try { >>> CertificateFactory cf = getCertificateFactory(); >>> X509CRL crl = (X509CRL)cf.generateCRL(is); >>> crls.add(crl); >>> } catch (Exception e) { >>> if (DO_DEBUG) { >>> LOG.debug(e.getMessage(), e); >>> } >>> throw new >>> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >>> "ioError00", e); >>> } finally { >>> if (is != null) { >>> is.close(); >>> } >>> } >>> } >>> try { >>> if (provider == null || provider.length() == 0) { >>> crlCertStore = >>> CertStore.getInstance( >>> "Collection", >>> new CollectionCertStoreParameters( >>> crls) >>> ); >>> >>> } else { >>> crlCertStore = >>> CertStore.getInstance( >>> "Collection", >>> new CollectionCertStoreParameters( >>> crls), >>> provider >>> ); >>> } >>> } catch (Exception e) { >>> if (DO_DEBUG) { >>> LOG.debug(e.getMessage(), e); >>> } >>> throw new >>> WSSecurityException(WSSecurityException.ErrorCode.FAILURE, >>> "ioError00", e); >>> } >>> if (DO_DEBUG) { >>> LOG.debug( >>> "The CRL " + crlLocations + " has been loaded" >>> ); >>> } >>> Best Regards, >>> Claude >>> >>> 2016-09-30 15:14 GMT+02:00 Claude Libois <[email protected]>: >>> >>>> Hi, >>>> I got the following pki chain Root CA>Intermediate CA>Client signing >>>> certificate >>>> A suggested by Colm, I have set in my truststore my Intermediate CA and >>>> my Root CA. >>>> However, by doing this, CRL verification doesn't work. In fact, it >>>> seems to validate my Intermediate CA against the Root CA crl while I'm only >>>> interested to verify the client certificate. >>>> I'm not sure how revocation validation works but it seems to validate >>>> CRL for every certificate(except the Root). >>>> However, I don't know how to specify multiple CRL in WSS4J or if it >>>> possible to merge 2 crl files into a common one ? >>>> I have provided 2 logs. The first one with the Intermediate CA CRL. We >>>> can see that validation of the Intermediate CA against Root CRL failed >>>> since it's not provided. >>>> The second one is with the Root CA CRL. Intermediate CA validation >>>> succeed but the signing certificate then failed... >>>> >>>> Best Regards, >>>> Claude >>>> >>> >>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
