Allen
thanks for the fix, anyhow JIRA is always a good idea :-)
Regards,
Werner
Allen Cronce wrote:
> As I thought, the problem is that Merlin.validateCertPath is not calling
> the provider aware variant of CertPathValidator.getInstance. I overrode
> validateCertPath in my Merlin derivation, and used the version of
> CertPathValidator.getInstance that allows me to specify the provider and
> it now works. I've appended the code change below.
>
> I would call this a bug in Merlin.validateCertPath. Should I file a Jira
> bug or is this a known problem?
>
> Best regards,
> --
> Allen Cronce
>
> ------------------------------
>
> public boolean validateCertPath(X509Certificate[] certs)
> throws WSSecurityException {
>
> try {
> // Generate cert path
> java.util.List certList = java.util.Arrays.asList(certs);
> CertPath path = this.getCertificateFactory().generateCertPath(
> certList);
>
> // Use the certificates in the keystore as TrustAnchors
> PKIXParameters param = new PKIXParameters(this.keystore);
>
> // Do not check a revocation list
> param.setRevocationEnabled(false);
>
> // Verify the trust path using the above settings
> String provider = properties
>
> .getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
> CertPathValidator certPathValidator;
> if (provider == null || provider.length() == 0) {
> certPathValidator = CertPathValidator.getInstance("PKIX");
> } else {
> certPathValidator = CertPathValidator.getInstance("PKIX",
> provider);
> }
> certPathValidator.validate(path, param);
> } catch (NoSuchProviderException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (NoSuchAlgorithmException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertificateException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (InvalidAlgorithmParameterException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertPathValidatorException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (KeyStoreException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> }
>
> return true;
> }
>
>
> Allen Cronce wrote:
>
>> Hi all,
>>
>> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use
>> digital signatures with certificates issued from the same root.
>> Because I have my own keystore in memory, I've derived new objects
>> supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender.
>> The keystore is Bouncy Castle Uber. Both the client and server side
>> keystores have the root certificate installed as a trusted certificate
>> entry.
>>
>> On the server side I get the following error when verifying the
>> signer's certificate:
>>
>> java.security.cert.CertPathValidatorException: signature check failed;
>> internal cause is:
>> java.lang.IllegalArgumentException: missing provider
>>
>> I've verified in the debugger that the certificate chain provided to
>> Merlin.validateCertPath is valid. Does this error mean that
>> validateCertPath is instancing a CertPathValidator that doesn't know
>> about the BC provider?
>>
>> I suppose that I can work around this error by overriding verifyTrust
>> and implementing my own certificate validation. But I was hoping to
>> keep my overrides to a minimum.
>>
>> Any suggestions regarding how to resolve this issue would be appreciated.
>>
>> Best regards,
>> --
>> Allen Cronce
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
