Hi Colm,
This is the stack trace I'm working on sharing a sample cert.
org.apache.wss4j.common.ext.WSSecurityException: Error during certificate path
validation: basic constraints check failed: this is not a CA certificate
Original Exception was java.security.cert.CertPathValidatorException: basic
constraints check failed: this is not a CA certificate
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891)
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906)
at
org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:109)
at
org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
at
org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189)
at
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
at
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
at
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
at
DigitalSignatureValidator.processSecurityHeader(DigitalSignatureValidator.java:78)
at AppStarter.main(AppStarter.java:62)
Caused by: java.security.cert.CertPathValidatorException: basic constraints
check failed: this is not a CA certificate
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at
sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at
sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:869)
... 10 more
Caused by: java.security.cert.CertPathValidatorException: basic constraints
check failed: this is not a CA certificate
at
sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259)
at
sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122)
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 15 more
FAILED auth
Exception in thread "main" java.lang.NullPointerException
at AppStarter.main(AppStarter.java:63)
On 2020/09/16 09:38:12, Colm O hEigeartaigh <cohei...@apache.org> wrote:
> What is the complete stack trace? A test-case with a sample cert to
> reproduce the problem would be helpful.
>
> Colm.
>
> On Wed, Sep 16, 2020 at 2:31 AM Puri, Amanleen <ap...@visa.com> wrote:
>
> > Hi,
> >
> > I am using wss4j 2.3.0 to validate signature
> > (wss4j-ws-security-dom-2.3.0.jar). However, the CA cert I use to initialize
> > my crypto object does not have Subject Type and other basic constraints.
> > Hence the signature validation fails with the following exception. The same
> > cert worked in wss4j 1.5.
> >
> >
> >
> > #Exception: java.security.cert.CertPathValidatorException: basic
> > constraints check failed: this is not a CA certificate
> >
> >
> >
> > #Ask: Is there a way I could disable basic constraints check in wss4j
> > 2.3.0?
> >
> >
> >
> > I’m calling , engine.processSecurityHeader where engine is an object of
> > WSSecurityEngine.
> >
> >
> >
> > Looking forward to hearing from you.
> >
> >
> >
> > Best,
> >
> > Amanleen
> >
>
