Merlin.validateCertPath doesn't work with alternate providers
-------------------------------------------------------------
Key: WSS-27
URL: http://issues.apache.org/jira/browse/WSS-27
Project: WSS4J
Type: Bug
Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, Standard
Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 1.4.2-54, mixed
mode), Mac OS X 10.4.3
Reporter: Allen Cronce
Assigned to: Davanum Srinivas
I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital
signatures with certificates issued from the same root. Because I have my own
keystore in memory, I've derived new objects supporting my keystore from
Merlin, WSDoAllReceiver and WSDoAllSender. The keystore is Bouncy Castle Uber.
Both the client and server side keystores have the root certificate installed
as a trusted certificate entry.
On the server side I get the following error when verifying the signer's
certificate:
java.security.cert.CertPathValidatorException: signature check failed; internal
cause is:
java.lang.IllegalArgumentException: missing provider
I've verified in the debugger that the certificate chain provided to
Merlin.validateCertPath is valid.
In looking at the code, I've determined that Merlin.validateCertPath is not
calling the provider aware variant of CertPathValidator.getInstance. I overrode
validateCertPath in my Merlin derivation, and used the version of
CertPathValidator.getInstance that allows me to specify the provider and it now
works.
So the bug is that Merlin.validateCertPath needs to support alternate
providers. Here's the fixed version of the method:
/**
* Overridden because there's a bug in the base class where they don't
use
* the provider variant for the certificate validator.
*
* @param certs
* Certificate chain to validate
* @return true if the certificate chain is valid, false otherwise
* @throws WSSecurityException
*/
public boolean validateCertPath(X509Certificate[] certs)
throws WSSecurityException {
try {
// Generate cert path
java.util.List certList =
java.util.Arrays.asList(certs);
CertPath path =
this.getCertificateFactory().generateCertPath(
certList);
// Use the certificates in the keystore as TrustAnchors
PKIXParameters param = new
PKIXParameters(this.keystore);
// Do not check a revocation list
param.setRevocationEnabled(false);
// Verify the trust path using the above settings
String provider = properties
.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
CertPathValidator certPathValidator;
if (provider == null || provider.length() == 0) {
certPathValidator =
CertPathValidator.getInstance("PKIX");
} else {
certPathValidator =
CertPathValidator.getInstance("PKIX",
provider);
}
certPathValidator.validate(path, param);
} catch (NoSuchProviderException ex) {
throw new
WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] {
ex.getMessage() },
(Throwable) ex);
} catch (NoSuchAlgorithmException ex) {
throw new
WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] {
ex.getMessage() },
(Throwable) ex);
} catch (CertificateException ex) {
throw new
WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] {
ex.getMessage() },
(Throwable) ex);
} catch (InvalidAlgorithmParameterException ex) {
throw new
WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] {
ex.getMessage() },
(Throwable) ex);
} catch (CertPathValidatorException ex) {
throw new
WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] {
ex.getMessage() },
(Throwable) ex);
} catch (KeyStoreException ex) {
throw new
WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] {
ex.getMessage() },
(Throwable) ex);
}
return true;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
