[jira] Resolved: (WSS-27) Merlin.validateCertPath doesn't work with alternate providers

Sun, 20 Nov 2005 08:36:47 -0800 

     [ http://issues.apache.org/jira/browse/WSS-27?page=all ]
     
Davanum Srinivas resolved WSS-27:
---------------------------------

    Resolution: Fixed

Fixed.

-- dims

> Merlin.validateCertPath doesn't work with alternate providers
> -------------------------------------------------------------
>
>          Key: WSS-27
>          URL: http://issues.apache.org/jira/browse/WSS-27
>      Project: WSS4J
>         Type: Bug
>  Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, 
> Standard Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 
> 1.4.2-54, mixed mode), Mac OS X 10.4.3
>     Reporter: Allen Cronce
>     Assignee: Davanum Srinivas

>
> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital 
> signatures with certificates issued from the same root. Because I have my own 
> keystore in memory, I've derived new objects supporting my keystore from 
> Merlin, WSDoAllReceiver and WSDoAllSender. The keystore is Bouncy Castle 
> Uber. Both the client and server side keystores have the root certificate 
> installed as a trusted certificate entry.
> On the server side I get the following error when verifying the signer's 
> certificate:
> java.security.cert.CertPathValidatorException: signature check failed; 
> internal cause is:
>    java.lang.IllegalArgumentException: missing provider
> I've verified in the debugger that the certificate chain provided to 
> Merlin.validateCertPath is valid.
> In looking at the code, I've determined that Merlin.validateCertPath is not 
> calling the provider aware variant of CertPathValidator.getInstance. I 
> overrode validateCertPath in my Merlin derivation, and used the version of 
> CertPathValidator.getInstance that allows me to specify the provider and it 
> now works.
> So the bug is that Merlin.validateCertPath needs to support alternate 
> providers. Here's the fixed version of the method:
>       /**
>        * Overridden because there's a bug in the base class where they don't 
> use
>        * the provider variant for the certificate validator.
>        * 
>        * @param certs
>        *            Certificate chain to validate
>        * @return true if the certificate chain is valid, false otherwise
>        * @throws WSSecurityException
>        */
>       public boolean validateCertPath(X509Certificate[] certs)
>                       throws WSSecurityException {
>               try {
>                       // Generate cert path
>                       java.util.List certList = 
> java.util.Arrays.asList(certs);
>                       CertPath path = 
> this.getCertificateFactory().generateCertPath(
>                                       certList);
>                       // Use the certificates in the keystore as TrustAnchors
>                       PKIXParameters param = new 
> PKIXParameters(this.keystore);
>                       // Do not check a revocation list
>                       param.setRevocationEnabled(false);
>                       // Verify the trust path using the above settings
>                       String provider = properties
>                                       
> .getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
>                       CertPathValidator certPathValidator;
>                       if (provider == null || provider.length() == 0) {
>                               certPathValidator = 
> CertPathValidator.getInstance("PKIX");
>                       } else {
>                               certPathValidator = 
> CertPathValidator.getInstance("PKIX",
>                                               provider);
>                       }
>                       certPathValidator.validate(path, param);
>               } catch (NoSuchProviderException ex) {
>                       throw new 
> WSSecurityException(WSSecurityException.FAILURE,
>                                       "certpath", new Object[] { 
> ex.getMessage() },
>                                       (Throwable) ex);
>               } catch (NoSuchAlgorithmException ex) {
>                       throw new 
> WSSecurityException(WSSecurityException.FAILURE,
>                                       "certpath", new Object[] { 
> ex.getMessage() },
>                                       (Throwable) ex);
>               } catch (CertificateException ex) {
>                       throw new 
> WSSecurityException(WSSecurityException.FAILURE,
>                                       "certpath", new Object[] { 
> ex.getMessage() },
>                                       (Throwable) ex);
>               } catch (InvalidAlgorithmParameterException ex) {
>                       throw new 
> WSSecurityException(WSSecurityException.FAILURE,
>                                       "certpath", new Object[] { 
> ex.getMessage() },
>                                       (Throwable) ex);
>               } catch (CertPathValidatorException ex) {
>                       throw new 
> WSSecurityException(WSSecurityException.FAILURE,
>                                       "certpath", new Object[] { 
> ex.getMessage() },
>                                       (Throwable) ex);
>               } catch (KeyStoreException ex) {
>                       throw new 
> WSSecurityException(WSSecurityException.FAILURE,
>                                       "certpath", new Object[] { 
> ex.getMessage() },
>                                       (Throwable) ex);
>               }
>               return true;
>       }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to