Martin, are you referring to the missing "PKCS7"? Merlin is designed to
work with X.509 certificates, so it doesn't apply here.
Colm.
On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <mgai...@hotmail.com> wrote:
>
>
>
> ------------------------------
> From: cohei...@apache.org
> Date: Fri, 30 Sep 2016 15:42:53 +0100
> Subject: Re: How to use multiple CRL with WSS4J ?
> To: users@ws.apache.org
>
> Yes please do a pull request, or create a JIRA and attach the diff there.
>
> Colm.
>
> On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.w...@gmail.com>
> wrote:
>
> Ok found your github. Will do a pull request.
>
> 2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.w...@gmail.com>:
>
> New version with the trim() correctly done after the split not before...
>
>
> 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.w...@gmail.com>:
>
> Found that it was not possible with Merlin cause it only allow to define a
> single CRL File.
> I have done a quick change that enable a comma separated list of crl.
> Here is the change. Can someone review it and if it's ok add it to the
> official source code ?
> //
> // Load the CRL file
> //
> String crlLocations = properties.getProperty(prefix +
> X509_CRL_FILE);
> if (crlLocations != null) {
> crlLocations = crlLocations.trim();
> String[] splittedCrlsLocation=crlLocations.split(",");
> List<X509CRL> crls=new ArrayList();
> for (int i = 0; i < splittedCrlsLocation.length; i++) {
> String crlLocation = splittedCrlsLocation[i];
> InputStream is = loadInputStream(loader, crlLocation);
>
> try {
> CertificateFactory cf = getCertificateFactory();
> X509CRL crl = (X509CRL)cf.generateCRL(is);
> crls.add(crl);
> } catch (Exception e) {
> if (DO_DEBUG) {
> LOG.debug(e.getMessage(), e);
> }
> throw new
> WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> "ioError00", e);
> } finally {
> if (is != null) {
> is.close();
> }
> }
> }
> try {
> if (provider == null || provider.length() == 0) {
> crlCertStore =
> CertStore.getInstance(
> "Collection",
> new CollectionCertStoreParameters(
> crls)
> );
>
> } else {
> crlCertStore =
> CertStore.getInstance(
> "Collection",
> new CollectionCertStoreParameters(
> crls),
> provider
> );
> }
> } catch (Exception e) {
> if (DO_DEBUG) {
> LOG.debug(e.getMessage(), e);
> }
> throw new
> WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> "ioError00", e);
> }
> if (DO_DEBUG) {
> LOG.debug(
> "The CRL " + crlLocations + " has been loaded"
> );
> }
>
> MG> Merlin.java
>
> List<X509Certificate> certList = Arrays.asList(x509certs);
>
> CertPath path = getCertificateFactory().
> generateCertPath(certList);
>
> MG>what I see from IBM:
>
> FileInputStream fis = new FileInputStream(filename);
> // instantiate a CertificateFactory for X.509
> CertificateFactory cf = CertificateFactory.getInstance("X.509");
> // extract the certification path from
> // the PKCS7 SignedData structure
> CertPath cp = cf.generateCertPath(fis, "PKCS7");
>
>
> MG>is IBM doc incorrect?
>
> http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/
> com.ibm.java.security.component.71.doc/security-component/certpathDocs/
> certificatefactory.html
>
> Best Regards,
> Claude
>
> 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.w...@gmail.com>:
>
> Hi,
> I got the following pki chain Root CA>Intermediate CA>Client signing
> certificate
> A suggested by Colm, I have set in my truststore my Intermediate CA and my
> Root CA.
> However, by doing this, CRL verification doesn't work. In fact, it seems
> to validate my Intermediate CA against the Root CA crl while I'm only
> interested to verify the client certificate.
> I'm not sure how revocation validation works but it seems to validate CRL
> for every certificate(except the Root).
> However, I don't know how to specify multiple CRL in WSS4J or if it
> possible to merge 2 crl files into a common one ?
> I have provided 2 logs. The first one with the Intermediate CA CRL. We can
> see that validation of the Intermediate CA against Root CRL failed since
> it's not provided.
> The second one is with the Root CA CRL. Intermediate CA validation succeed
> but the signing certificate then failed...
>
> Best Regards,
> Claude
>
>
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
