Please open a JIRA bug.
-- dims
On 11/18/05, Allen Cronce <[EMAIL PROTECTED]> wrote:
> As I thought, the problem is that Merlin.validateCertPath is not calling
> the provider aware variant of CertPathValidator.getInstance. I overrode
> validateCertPath in my Merlin derivation, and used the version of
> CertPathValidator.getInstance that allows me to specify the provider and
> it now works. I've appended the code change below.
>
> I would call this a bug in Merlin.validateCertPath. Should I file a Jira
> bug or is this a known problem?
>
> Best regards,
> --
> Allen Cronce
>
> ------------------------------
>
> public boolean validateCertPath(X509Certificate[] certs)
> throws WSSecurityException {
>
> try {
> // Generate cert path
> java.util.List certList = java.util.Arrays.asList(certs);
> CertPath path = this.getCertificateFactory().generateCertPath(
> certList);
>
> // Use the certificates in the keystore as TrustAnchors
> PKIXParameters param = new PKIXParameters(this.keystore);
>
> // Do not check a revocation list
> param.setRevocationEnabled(false);
>
> // Verify the trust path using the above settings
> String provider = properties
>
> .getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
> CertPathValidator certPathValidator;
> if (provider == null || provider.length() == 0) {
> certPathValidator = CertPathValidator.getInstance("PKIX");
> } else {
> certPathValidator = CertPathValidator.getInstance("PKIX",
> provider);
> }
> certPathValidator.validate(path, param);
> } catch (NoSuchProviderException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (NoSuchAlgorithmException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertificateException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (InvalidAlgorithmParameterException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertPathValidatorException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (KeyStoreException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> }
>
> return true;
> }
>
>
> Allen Cronce wrote:
> > Hi all,
> >
> > I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use
> > digital signatures with certificates issued from the same root.
> > Because I have my own keystore in memory, I've derived new objects
> > supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender.
> > The keystore is Bouncy Castle Uber. Both the client and server side
> > keystores have the root certificate installed as a trusted certificate
> > entry.
> >
> > On the server side I get the following error when verifying the
> > signer's certificate:
> >
> > java.security.cert.CertPathValidatorException: signature check failed;
> > internal cause is:
> > java.lang.IllegalArgumentException: missing provider
> >
> > I've verified in the debugger that the certificate chain provided to
> > Merlin.validateCertPath is valid. Does this error mean that
> > validateCertPath is instancing a CertPathValidator that doesn't know
> > about the BC provider?
> >
> > I suppose that I can work around this error by overriding verifyTrust
> > and implementing my own certificate validation. But I was hoping to
> > keep my overrides to a minimum.
> >
> > Any suggestions regarding how to resolve this issue would be appreciated.
> >
> > Best regards,
> > --
> > Allen Cronce
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Davanum Srinivas : http://wso2.com/blogs/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
