ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Libois <clibois.w...@gmail.com>
Subject Re: How to use multiple CRL with WSS4J ?
Date Fri, 30 Sep 2016 14:23:32 GMT
Ok found your github. Will do a pull request.

2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.work@gmail.com>:

> New version with the trim() correctly done after the split not before...
>
>
> 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
>> Found that it was not possible with Merlin cause it only allow to define
>> a single CRL File.
>> I have done a quick change that enable a comma separated list of crl.
>> Here is the change. Can someone review it and if it's ok add it to the
>> official source code ?
>> //
>>         // Load the CRL file
>>         //
>>         String crlLocations = properties.getProperty(prefix +
>> X509_CRL_FILE);
>>         if (crlLocations != null) {
>>             crlLocations = crlLocations.trim();
>>             String[] splittedCrlsLocation=crlLocations.split(",");
>>             List<X509CRL> crls=new ArrayList();
>>             for (int i = 0; i < splittedCrlsLocation.length; i++) {
>>                 String crlLocation = splittedCrlsLocation[i];
>>                 InputStream is = loadInputStream(loader, crlLocation);
>>
>>                 try {
>>                     CertificateFactory cf = getCertificateFactory();
>>                     X509CRL crl = (X509CRL)cf.generateCRL(is);
>>                     crls.add(crl);
>>                 } catch (Exception e) {
>>                     if (DO_DEBUG) {
>>                         LOG.debug(e.getMessage(), e);
>>                     }
>>                     throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
>> "ioError00", e);
>>                 } finally {
>>                     if (is != null) {
>>                         is.close();
>>                     }
>>                 }
>>             }
>>             try {
>>                 if (provider == null || provider.length() == 0) {
>>                     crlCertStore =
>>                             CertStore.getInstance(
>>                                     "Collection",
>>                                     new CollectionCertStoreParameters(
>> crls)
>>                             );
>>
>>                 } else {
>>                     crlCertStore =
>>                             CertStore.getInstance(
>>                                     "Collection",
>>                                     new CollectionCertStoreParameters(
>> crls),
>>                                     provider
>>                             );
>>                 }
>>             } catch (Exception e) {
>>                 if (DO_DEBUG) {
>>                     LOG.debug(e.getMessage(), e);
>>                 }
>>                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
>> "ioError00", e);
>>             }
>>             if (DO_DEBUG) {
>>                 LOG.debug(
>>                         "The CRL " + crlLocations + " has been loaded"
>>                 );
>>             }
>> Best Regards,
>> Claude
>>
>> 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>>
>>> Hi,
>>> I got the following pki chain Root CA>Intermediate CA>Client signing
>>> certificate
>>> A suggested by Colm, I have set in my truststore my Intermediate CA and
>>> my Root CA.
>>> However, by doing this, CRL verification doesn't work. In fact, it seems
>>> to validate my Intermediate CA against the Root CA crl while I'm only
>>> interested to verify the client certificate.
>>> I'm not sure how revocation validation works but it seems to validate
>>> CRL for every certificate(except the Root).
>>> However, I don't know how to specify multiple CRL in WSS4J or if it
>>> possible to merge 2 crl files into a common one ?
>>> I have provided 2 logs. The first one with the Intermediate CA CRL. We
>>> can see that validation of the Intermediate CA against Root CRL failed
>>> since it's not provided.
>>> The second one is with the Root CA CRL. Intermediate CA validation
>>> succeed but the signing certificate then failed...
>>>
>>> Best Regards,
>>> Claude
>>>
>>
>>
>

Mime
View raw message