The exception is being thrown by the JDK, so it looks like your CA cert is not fit for purpose.
Colm. On Thu, Sep 17, 2020 at 5:16 PM AKP P <amanlee...@gmail.com> wrote: > Hi Colm, > This is the stack trace I'm working on sharing a sample cert. > > org.apache.wss4j.common.ext.WSSecurityException: Error during certificate > path validation: basic constraints check failed: this is not a CA > certificate > Original Exception was java.security.cert.CertPathValidatorException: > basic constraints check failed: this is not a CA certificate > at > org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891) > at > org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906) > at > org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:109) > at > org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64) > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189) > at > org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) > at > org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221) > at > org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168) > at > org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127) > at > DigitalSignatureValidator.processSecurityHeader(DigitalSignatureValidator.java:78) > at AppStarter.main(AppStarter.java:62) > Caused by: java.security.cert.CertPathValidatorException: basic > constraints check failed: this is not a CA certificate > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) > at > sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) > at > java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) > at > org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:869) > ... 10 more > Caused by: java.security.cert.CertPathValidatorException: basic > constraints check failed: this is not a CA certificate > at > sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259) > at > sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122) > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) > ... 15 more > FAILED auth > Exception in thread "main" java.lang.NullPointerException > at AppStarter.main(AppStarter.java:63) > > > > On 2020/09/16 09:38:12, Colm O hEigeartaigh <cohei...@apache.org> wrote: > > What is the complete stack trace? A test-case with a sample cert to > > reproduce the problem would be helpful. > > > > Colm. > > > > On Wed, Sep 16, 2020 at 2:31 AM Puri, Amanleen <ap...@visa.com> wrote: > > > > > Hi, > > > > > > I am using wss4j 2.3.0 to validate signature > > > (wss4j-ws-security-dom-2.3.0.jar). However, the CA cert I use to > initialize > > > my crypto object does not have Subject Type and other basic > constraints. > > > Hence the signature validation fails with the following exception. The > same > > > cert worked in wss4j 1.5. > > > > > > > > > > > > #Exception: java.security.cert.CertPathValidatorException: basic > > > constraints check failed: this is not a CA certificate > > > > > > > > > > > > #Ask: Is there a way I could disable basic constraints check in wss4j > > > 2.3.0? > > > > > > > > > > > > I’m calling , engine.processSecurityHeader where engine is an object of > > > WSSecurityEngine. > > > > > > > > > > > > Looking forward to hearing from you. > > > > > > > > > > > > Best, > > > > > > Amanleen > > > > > >
