ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claude Libois <clibois.w...@gmail.com>
Subject Re: How to use multiple CRL with WSS4J ?
Date Fri, 30 Sep 2016 14:04:45 GMT
Found that it was not possible with Merlin cause it only allow to define a
single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the
official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix +
X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }
Best Regards,
Claude
2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.work@gmail.com>:

> Hi,
> I got the following pki chain Root CA>Intermediate CA>Client signing
> certificate
> A suggested by Colm, I have set in my truststore my Intermediate CA and my
> Root CA.
> However, by doing this, CRL verification doesn't work. In fact, it seems
> to validate my Intermediate CA against the Root CA crl while I'm only
> interested to verify the client certificate.
> I'm not sure how revocation validation works but it seems to validate CRL
> for every certificate(except the Root).
> However, I don't know how to specify multiple CRL in WSS4J or if it
> possible to merge 2 crl files into a common one ?
> I have provided 2 logs. The first one with the Intermediate CA CRL. We can
> see that validation of the Intermediate CA against Root CRL failed since
> it's not provided.
> The second one is with the Root CA CRL. Intermediate CA validation succeed
> but the signing certificate then failed...
>
> Best Regards,
> Claude
>

Mime
View raw message