As I thought, the problem is that Merlin.validateCertPath is not calling
the provider aware variant of CertPathValidator.getInstance. I overrode
validateCertPath in my Merlin derivation, and used the version of
CertPathValidator.getInstance that allows me to specify the provider and
it now works. I've appended the code change below.
I would call this a bug in Merlin.validateCertPath. Should I file a Jira
bug or is this a known problem?
Best regards,
--
Allen Cronce
------------------------------
public boolean validateCertPath(X509Certificate[] certs)
throws WSSecurityException {
try {
// Generate cert path
java.util.List certList = java.util.Arrays.asList(certs);
CertPath path = this.getCertificateFactory().generateCertPath(
certList);
// Use the certificates in the keystore as TrustAnchors
PKIXParameters param = new PKIXParameters(this.keystore);
// Do not check a revocation list
param.setRevocationEnabled(false);
// Verify the trust path using the above settings
String provider = properties
.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
CertPathValidator certPathValidator;
if (provider == null || provider.length() == 0) {
certPathValidator = CertPathValidator.getInstance("PKIX");
} else {
certPathValidator = CertPathValidator.getInstance("PKIX",
provider);
}
certPathValidator.validate(path, param);
} catch (NoSuchProviderException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (NoSuchAlgorithmException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (CertificateException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (InvalidAlgorithmParameterException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (CertPathValidatorException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (KeyStoreException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
}
return true;
}
Allen Cronce wrote:
Hi all,
I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use
digital signatures with certificates issued from the same root.
Because I have my own keystore in memory, I've derived new objects
supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender.
The keystore is Bouncy Castle Uber. Both the client and server side
keystores have the root certificate installed as a trusted certificate
entry.
On the server side I get the following error when verifying the
signer's certificate:
java.security.cert.CertPathValidatorException: signature check failed;
internal cause is:
java.lang.IllegalArgumentException: missing provider
I've verified in the debugger that the certificate chain provided to
Merlin.validateCertPath is valid. Does this error mean that
validateCertPath is instancing a CertPathValidator that doesn't know
about the BC provider?
I suppose that I can work around this error by overriding verifyTrust
and implementing my own certificate validation. But I was hoping to
keep my overrides to a minimum.
Any suggestions regarding how to resolve this issue would be appreciated.
Best regards,
--
Allen Cronce
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
