If I thought I knew enough, I would be happy to work on it. We'll see
how things go. :-)
I've found the verifyTrust() code in
org.apache.ws.security.handler.WSHandler.java. The approach makes sense,
but the third step in the method confuses me. I have exceprted some code
from WSS4J 1.5 below and added some questions. Maybe someone could
comment?
Rick Hansen
// THIRD step
// Check the certificate trust path for every alias of the issuer found
in the keystore
for (int i = 0; i < aliases.length; i++) {
alias = aliases[i];
if (doDebug) {
log.debug("Preparing to validate certificate path with alias " +
alias + " for issuer " + issuerString);
}
// Retrieve the certificate(s) for the alias from the keystore
try {
certs = reqData.getSigCrypto().getCertificates(alias);
} catch (WSSecurityException ex) {
throw new WSSecurityException("WSHandler: Could not get certificates
for alias " + alias, ex);
}
// If no certificates have been found, there has to be an error:
// The keystore can find an alias but no certificate(s)
/***********************************************************************
*********
Is this condition correct or should it be?
if (certs == null || certs.length < 1)
************************************************************************
********/
if (certs == null | certs.length < 1) {
throw new WSSecurityException("WSHandler: Could not get certificates
for alias " + alias);
}
/***********************************************************************
*********
If this comment is correct then I think the code is incorrect.
Is the intention to put the original cert first in the chain for each
alias?
************************************************************************
********/
// Form a certificate chain from the transmitted certificate
// and the certificate(s) of the issuer from the keystore
// First, create new array
X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
// Then add the first certificate ...
x509certs[0] = cert;
// ... and the other certificates
for (int j = 0; j < certs.length; j++) {
cert = certs[i]; // Line 1
x509certs[certs.length + j] = cert; // Line 2
}
certs = x509certs;
/***********************************************************************
*********
Line 1 -
Is it correct to use 'i' which is the index over the array of aliases?
Doesn't this lose the reference to the original cert?
Line 2 -
x509certs.length == certs.length + 1, won't certs.length + j cause an
index out of bounds?
Should the loop be -
for (int j = 0; j < certs.length; j++) {
x509certs[j+1] = cert[j];
}
************************************************************************
********/
// Use the validation method from the crypto to check whether the
subjects certificate was really signed by the issuer stated in the
certificate
try {
if (reqData.getSigCrypto().validateCertPath(certs)) {
if (doDebug) {
log.debug("WSHandler: Certificate path has been verified for
certificate with subject " + subjectString);
}
return true;
}
} catch (WSSecurityException ex) {
throw new WSSecurityException("WSHandler: Certificate path
verification failed for certificate with subject " + subjectString, ex);
}
}
-----Original Message-----
From: Davanum Srinivas [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 1:38 PM
To: David Del Vecchio
Cc: [email protected]
Subject: Re: How to verify root certificate?
Sounds good! any volunteers :)
-- dims
On 8/14/06, David Del Vecchio <[EMAIL PROTECTED]> wrote:
> This does seem like it would be useful functionality. Perhaps we can
> add path validation support, but make it configurable with a switch so
> that applications that need it can take advantage of it, but those
> that don't (or need custom processing) are unaffected.
>
> David
>
> On Mon, 14 Aug 2006 07:48:33 -0500
> <[EMAIL PROTECTED]> wrote:
>
> > Wow, that is very suprising. Admittedly I am a security novice,
> but > I assumed verifying tbe root CA would be basic included, if not
> > required, functionality. Thanks for the heads up anyway.
> >
> > -----Original Message-----
> > From: Werner Dittmann [mailto:[EMAIL PROTECTED] Sent:
> > Saturday, August 12, 2006 1:41 AM
> > To: Hansen, Rick (TLR Corp)
> > Cc: [email protected]
> > Subject: Re: How to verify root certificate?
> >
> > Richard,
> > that's correct. WSS4J does not perform the certificate
> > verification. The WSS4J Axis handlers have some code that perform a
> > basic certificate path verification. This was done because
> certificate > path verification is sometime not necessary for basic
> security > (encryption). WSS4J returns > the certificate used for
> signature verification to the calling > application (WSSecurityEngine
> does this).
> >
> > Regards,
> > Werner
> >
> > [EMAIL PROTECTED] wrote:
> >
> > I've searched quite a bit but have found nothing on how to
get
> > WSS4J to verify the root X509 certificate. Can anyone tell me how
> or > point me to an example?
> >
> > I am using WSS4J programatically (not under Axis) to sign
and
> > verify SOAP messages. Using the WSSecSignature and WSSecurityEngine
> > classes I > >
> > have gotten thing things working well except that the root
> > certificate
> >
> >
> > is not verified. I have been using a self-signed cert for
> > testing and passing the cert in the BinarySecurityToken. Any >
> certificate seems to be trusted, in fact I can even use an empty >
> keystore on the server.
> >
> > Rick Hansen
> >
> >
> >
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Davanum Srinivas : http://www.wso2.net (Oxygen for Web Service
Developers)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
