ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: How to use multiple CRL with WSS4J ?
Date Fri, 30 Sep 2016 14:42:53 GMT
Yes please do a pull request, or create a JIRA and attach the diff there.

Colm.

On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.work@gmail.com>
wrote:

> Ok found your github. Will do a pull request.
>
> 2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
>> New version with the trim() correctly done after the split not before...
>>
>>
>> 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>>
>>> Found that it was not possible with Merlin cause it only allow to define
>>> a single CRL File.
>>> I have done a quick change that enable a comma separated list of crl.
>>> Here is the change. Can someone review it and if it's ok add it to the
>>> official source code ?
>>> //
>>>         // Load the CRL file
>>>         //
>>>         String crlLocations = properties.getProperty(prefix +
>>> X509_CRL_FILE);
>>>         if (crlLocations != null) {
>>>             crlLocations = crlLocations.trim();
>>>             String[] splittedCrlsLocation=crlLocations.split(",");
>>>             List<X509CRL> crls=new ArrayList();
>>>             for (int i = 0; i < splittedCrlsLocation.length; i++) {
>>>                 String crlLocation = splittedCrlsLocation[i];
>>>                 InputStream is = loadInputStream(loader, crlLocation);
>>>
>>>                 try {
>>>                     CertificateFactory cf = getCertificateFactory();
>>>                     X509CRL crl = (X509CRL)cf.generateCRL(is);
>>>                     crls.add(crl);
>>>                 } catch (Exception e) {
>>>                     if (DO_DEBUG) {
>>>                         LOG.debug(e.getMessage(), e);
>>>                     }
>>>                     throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
>>> "ioError00", e);
>>>                 } finally {
>>>                     if (is != null) {
>>>                         is.close();
>>>                     }
>>>                 }
>>>             }
>>>             try {
>>>                 if (provider == null || provider.length() == 0) {
>>>                     crlCertStore =
>>>                             CertStore.getInstance(
>>>                                     "Collection",
>>>                                     new CollectionCertStoreParameters(
>>> crls)
>>>                             );
>>>
>>>                 } else {
>>>                     crlCertStore =
>>>                             CertStore.getInstance(
>>>                                     "Collection",
>>>                                     new CollectionCertStoreParameters(
>>> crls),
>>>                                     provider
>>>                             );
>>>                 }
>>>             } catch (Exception e) {
>>>                 if (DO_DEBUG) {
>>>                     LOG.debug(e.getMessage(), e);
>>>                 }
>>>                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
>>> "ioError00", e);
>>>             }
>>>             if (DO_DEBUG) {
>>>                 LOG.debug(
>>>                         "The CRL " + crlLocations + " has been loaded"
>>>                 );
>>>             }
>>> Best Regards,
>>> Claude
>>>
>>> 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>>>
>>>> Hi,
>>>> I got the following pki chain Root CA>Intermediate CA>Client signing
>>>> certificate
>>>> A suggested by Colm, I have set in my truststore my Intermediate CA and
>>>> my Root CA.
>>>> However, by doing this, CRL verification doesn't work. In fact, it
>>>> seems to validate my Intermediate CA against the Root CA crl while I'm only
>>>> interested to verify the client certificate.
>>>> I'm not sure how revocation validation works but it seems to validate
>>>> CRL for every certificate(except the Root).
>>>> However, I don't know how to specify multiple CRL in WSS4J or if it
>>>> possible to merge 2 crl files into a common one ?
>>>> I have provided 2 logs. The first one with the Intermediate CA CRL. We
>>>> can see that validation of the Intermediate CA against Root CRL failed
>>>> since it's not provided.
>>>> The second one is with the Root CA CRL. Intermediate CA validation
>>>> succeed but the signing certificate then failed...
>>>>
>>>> Best Regards,
>>>> Claude
>>>>
>>>
>>>
>>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message