From: [email protected]
Date: Fri, 30 Sep 2016 15:42:53 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: [email protected]
Yes please do a pull request, or create a JIRA and attach the diff there.
Colm.
On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <[email protected]> wrote:
Ok found your github. Will do a pull request.
2016-09-30 16:19 GMT+02:00 Claude Libois <[email protected]>:
New version with the trim() correctly done after the split not before...
2016-09-30 16:04 GMT+02:00 Claude Libois <[email protected]>:
Found that it was not possible with Merlin cause it only allow to define a
single CRL File.I have done a quick change that enable a comma separated list
of crl.Here is the change. Can someone review it and if it's ok add it to the
official source code ?// // Load the CRL file // String
crlLocations = properties.getProperty(prefix + X509_CRL_FILE); if
(crlLocations != null) { crlLocations = crlLocations.trim();
String[] splittedCrlsLocation=crlLocations.split(",");
List<X509CRL> crls=new ArrayList(); for (int i = 0; i <
splittedCrlsLocation.length; i++) { String crlLocation =
splittedCrlsLocation[i]; InputStream is =
loadInputStream(loader, crlLocation);
try { CertificateFactory cf =
getCertificateFactory(); X509CRL crl =
(X509CRL)cf.generateCRL(is); crls.add(crl); }
catch (Exception e) { if (DO_DEBUG) {
LOG.debug(e.getMessage(), e); } throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
} finally { if (is != null) {
is.close(); } } }
try { if (provider == null || provider.length() == 0) {
crlCertStore = CertStore.getInstance(
"Collection",
new CollectionCertStoreParameters(crls) );
} else { crlCertStore =
CertStore.getInstance( "Collection",
new CollectionCertStoreParameters(crls),
provider );
} } catch (Exception e) { if (DO_DEBUG) {
LOG.debug(e.getMessage(), e); } throw
new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
} if (DO_DEBUG) { LOG.debug(
"The CRL " + crlLocations + " has been loaded" );
}
MG> Merlin.java
List<X509Certificate> certList = Arrays.asList(x509certs);
CertPath path = getCertificateFactory().generateCertPath(certList);
MG>what I see from IBM: FileInputStream fis = new FileInputStream(filename);
// instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// extract the certification path from
// the PKCS7 SignedData structure
CertPath cp = cf.generateCertPath(fis, "PKCS7");
MG>is IBM doc incorrect?
http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/com.ibm.java.security.component.71.doc/security-component/certpathDocs/certificatefactory.html
Best Regards,Claude
2016-09-30 15:14 GMT+02:00 Claude Libois <[email protected]>:
Hi,I got the following pki chain Root CA>Intermediate CA>Client signing
certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root
CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to
validate my Intermediate CA against the Root CA crl while I'm only interested
to verify the client certificate.I'm not sure how revocation validation works
but it seems to validate CRL for every certificate(except the Root).However, I
don't know how to specify multiple CRL in WSS4J or if it possible to merge 2
crl files into a common one ?I have provided 2 logs. The first one with the
Intermediate CA CRL. We can see that validation of the Intermediate CA against
Root CRL failed since it's not provided.The second one is with the Root CA CRL.
Intermediate CA validation succeed but the signing certificate then failed...
Best Regards,Claude
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
