ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Libois <clibois.w...@gmail.com>
Subject Re: How to use multiple CRL with WSS4J ?
Date Fri, 30 Sep 2016 14:19:22 GMT
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.work@gmail.com>:

> Found that it was not possible with Merlin cause it only allow to define a
> single CRL File.
> I have done a quick change that enable a comma separated list of crl.
> Here is the change. Can someone review it and if it's ok add it to the
> official source code ?
> //
>         // Load the CRL file
>         //
>         String crlLocations = properties.getProperty(prefix +
> X509_CRL_FILE);
>         if (crlLocations != null) {
>             crlLocations = crlLocations.trim();
>             String[] splittedCrlsLocation=crlLocations.split(",");
>             List<X509CRL> crls=new ArrayList();
>             for (int i = 0; i < splittedCrlsLocation.length; i++) {
>                 String crlLocation = splittedCrlsLocation[i];
>                 InputStream is = loadInputStream(loader, crlLocation);
>
>                 try {
>                     CertificateFactory cf = getCertificateFactory();
>                     X509CRL crl = (X509CRL)cf.generateCRL(is);
>                     crls.add(crl);
>                 } catch (Exception e) {
>                     if (DO_DEBUG) {
>                         LOG.debug(e.getMessage(), e);
>                     }
>                     throw new WSSecurityException(
> WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
>                 } finally {
>                     if (is != null) {
>                         is.close();
>                     }
>                 }
>             }
>             try {
>                 if (provider == null || provider.length() == 0) {
>                     crlCertStore =
>                             CertStore.getInstance(
>                                     "Collection",
>                                     new CollectionCertStoreParameters(
> crls)
>                             );
>
>                 } else {
>                     crlCertStore =
>                             CertStore.getInstance(
>                                     "Collection",
>                                     new CollectionCertStoreParameters(
> crls),
>                                     provider
>                             );
>                 }
>             } catch (Exception e) {
>                 if (DO_DEBUG) {
>                     LOG.debug(e.getMessage(), e);
>                 }
>                 throw new WSSecurityException(
> WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
>             }
>             if (DO_DEBUG) {
>                 LOG.debug(
>                         "The CRL " + crlLocations + " has been loaded"
>                 );
>             }
> Best Regards,
> Claude
>
> 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
>> Hi,
>> I got the following pki chain Root CA>Intermediate CA>Client signing
>> certificate
>> A suggested by Colm, I have set in my truststore my Intermediate CA and
>> my Root CA.
>> However, by doing this, CRL verification doesn't work. In fact, it seems
>> to validate my Intermediate CA against the Root CA crl while I'm only
>> interested to verify the client certificate.
>> I'm not sure how revocation validation works but it seems to validate CRL
>> for every certificate(except the Root).
>> However, I don't know how to specify multiple CRL in WSS4J or if it
>> possible to merge 2 crl files into a common one ?
>> I have provided 2 logs. The first one with the Intermediate CA CRL. We
>> can see that validation of the Intermediate CA against Root CRL failed
>> since it's not provided.
>> The second one is with the Root CA CRL. Intermediate CA validation
>> succeed but the signing certificate then failed...
>>
>> Best Regards,
>> Claude
>>
>
>

Mime
View raw message