ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: How to use multiple CRL with WSS4J ?
Date Fri, 30 Sep 2016 15:40:42 GMT
Martin, are you referring to the missing "PKCS7"? Merlin is designed to
work with X.509 certificates, so it doesn't apply here.

Colm.

On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <mgainty@hotmail.com> wrote:

>
>
>
> ------------------------------
> From: coheigea@apache.org
> Date: Fri, 30 Sep 2016 15:42:53 +0100
> Subject: Re: How to use multiple CRL with WSS4J ?
> To: users@ws.apache.org
>
> Yes please do a pull request, or create a JIRA and attach the diff there.
>
> Colm.
>
> On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.work@gmail.com>
> wrote:
>
> Ok found your github. Will do a pull request.
>
> 2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
> New version with the trim() correctly done after the split not before...
>
>
> 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
> Found that it was not possible with Merlin cause it only allow to define a
> single CRL File.
> I have done a quick change that enable a comma separated list of crl.
> Here is the change. Can someone review it and if it's ok add it to the
> official source code ?
> //
>         // Load the CRL file
>         //
>         String crlLocations = properties.getProperty(prefix +
> X509_CRL_FILE);
>         if (crlLocations != null) {
>             crlLocations = crlLocations.trim();
>             String[] splittedCrlsLocation=crlLocations.split(",");
>             List<X509CRL> crls=new ArrayList();
>             for (int i = 0; i < splittedCrlsLocation.length; i++) {
>                 String crlLocation = splittedCrlsLocation[i];
>                 InputStream is = loadInputStream(loader, crlLocation);
>
>                 try {
>                     CertificateFactory cf = getCertificateFactory();
>                     X509CRL crl = (X509CRL)cf.generateCRL(is);
>                     crls.add(crl);
>                 } catch (Exception e) {
>                     if (DO_DEBUG) {
>                         LOG.debug(e.getMessage(), e);
>                     }
>                     throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> "ioError00", e);
>                 } finally {
>                     if (is != null) {
>                         is.close();
>                     }
>                 }
>             }
>             try {
>                 if (provider == null || provider.length() == 0) {
>                     crlCertStore =
>                             CertStore.getInstance(
>                                     "Collection",
>                                     new CollectionCertStoreParameters(
> crls)
>                             );
>
>                 } else {
>                     crlCertStore =
>                             CertStore.getInstance(
>                                     "Collection",
>                                     new CollectionCertStoreParameters(
> crls),
>                                     provider
>                             );
>                 }
>             } catch (Exception e) {
>                 if (DO_DEBUG) {
>                     LOG.debug(e.getMessage(), e);
>                 }
>                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> "ioError00", e);
>             }
>             if (DO_DEBUG) {
>                 LOG.debug(
>                         "The CRL " + crlLocations + " has been loaded"
>                 );
>             }
>
> MG> Merlin.java
>
>           List<X509Certificate> certList = Arrays.asList(x509certs);
>
>           CertPath path = getCertificateFactory().
> generateCertPath(certList);
>
> MG>what I see from IBM:
>
>   FileInputStream fis = new FileInputStream(filename);
>     // instantiate a CertificateFactory for X.509
>     CertificateFactory cf = CertificateFactory.getInstance("X.509");
>     // extract the certification path from
>     // the PKCS7 SignedData structure
>     CertPath cp = cf.generateCertPath(fis, "PKCS7");
>
>
> MG>is IBM doc incorrect?
>
> http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/
> com.ibm.java.security.component.71.doc/security-component/certpathDocs/
> certificatefactory.html
>
> Best Regards,
> Claude
>
> 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
> Hi,
> I got the following pki chain Root CA>Intermediate CA>Client signing
> certificate
> A suggested by Colm, I have set in my truststore my Intermediate CA and my
> Root CA.
> However, by doing this, CRL verification doesn't work. In fact, it seems
> to validate my Intermediate CA against the Root CA crl while I'm only
> interested to verify the client certificate.
> I'm not sure how revocation validation works but it seems to validate CRL
> for every certificate(except the Root).
> However, I don't know how to specify multiple CRL in WSS4J or if it
> possible to merge 2 crl files into a common one ?
> I have provided 2 logs. The first one with the Intermediate CA CRL. We can
> see that validation of the Intermediate CA against Root CRL failed since
> it's not provided.
> The second one is with the Root CA CRL. Intermediate CA validation succeed
> but the signing certificate then failed...
>
> Best Regards,
> Claude
>
>
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message