Martin, are you referring to the missing "PKCS7"? Merlin is designed to work with X.509 certificates, so it doesn't apply here.
Colm. On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <mgai...@hotmail.com> wrote: > > > > ------------------------------ > From: cohei...@apache.org > Date: Fri, 30 Sep 2016 15:42:53 +0100 > Subject: Re: How to use multiple CRL with WSS4J ? > To: users@ws.apache.org > > Yes please do a pull request, or create a JIRA and attach the diff there. > > Colm. > > On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.w...@gmail.com> > wrote: > > Ok found your github. Will do a pull request. > > 2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.w...@gmail.com>: > > New version with the trim() correctly done after the split not before... > > > 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.w...@gmail.com>: > > Found that it was not possible with Merlin cause it only allow to define a > single CRL File. > I have done a quick change that enable a comma separated list of crl. > Here is the change. Can someone review it and if it's ok add it to the > official source code ? > // > // Load the CRL file > // > String crlLocations = properties.getProperty(prefix + > X509_CRL_FILE); > if (crlLocations != null) { > crlLocations = crlLocations.trim(); > String[] splittedCrlsLocation=crlLocations.split(","); > List<X509CRL> crls=new ArrayList(); > for (int i = 0; i < splittedCrlsLocation.length; i++) { > String crlLocation = splittedCrlsLocation[i]; > InputStream is = loadInputStream(loader, crlLocation); > > try { > CertificateFactory cf = getCertificateFactory(); > X509CRL crl = (X509CRL)cf.generateCRL(is); > crls.add(crl); > } catch (Exception e) { > if (DO_DEBUG) { > LOG.debug(e.getMessage(), e); > } > throw new > WSSecurityException(WSSecurityException.ErrorCode.FAILURE, > "ioError00", e); > } finally { > if (is != null) { > is.close(); > } > } > } > try { > if (provider == null || provider.length() == 0) { > crlCertStore = > CertStore.getInstance( > "Collection", > new CollectionCertStoreParameters( > crls) > ); > > } else { > crlCertStore = > CertStore.getInstance( > "Collection", > new CollectionCertStoreParameters( > crls), > provider > ); > } > } catch (Exception e) { > if (DO_DEBUG) { > LOG.debug(e.getMessage(), e); > } > throw new > WSSecurityException(WSSecurityException.ErrorCode.FAILURE, > "ioError00", e); > } > if (DO_DEBUG) { > LOG.debug( > "The CRL " + crlLocations + " has been loaded" > ); > } > > MG> Merlin.java > > List<X509Certificate> certList = Arrays.asList(x509certs); > > CertPath path = getCertificateFactory(). > generateCertPath(certList); > > MG>what I see from IBM: > > FileInputStream fis = new FileInputStream(filename); > // instantiate a CertificateFactory for X.509 > CertificateFactory cf = CertificateFactory.getInstance("X.509"); > // extract the certification path from > // the PKCS7 SignedData structure > CertPath cp = cf.generateCertPath(fis, "PKCS7"); > > > MG>is IBM doc incorrect? > > http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/ > com.ibm.java.security.component.71.doc/security-component/certpathDocs/ > certificatefactory.html > > Best Regards, > Claude > > 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.w...@gmail.com>: > > Hi, > I got the following pki chain Root CA>Intermediate CA>Client signing > certificate > A suggested by Colm, I have set in my truststore my Intermediate CA and my > Root CA. > However, by doing this, CRL verification doesn't work. In fact, it seems > to validate my Intermediate CA against the Root CA crl while I'm only > interested to verify the client certificate. > I'm not sure how revocation validation works but it seems to validate CRL > for every certificate(except the Root). > However, I don't know how to specify multiple CRL in WSS4J or if it > possible to merge 2 crl files into a common one ? > I have provided 2 logs. The first one with the Intermediate CA CRL. We can > see that validation of the Intermediate CA against Root CRL failed since > it's not provided. > The second one is with the Root CA CRL. Intermediate CA validation succeed > but the signing certificate then failed... > > Best Regards, > Claude > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com