cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: Using a custom CertPathChecker
Date Tue, 07 Apr 2015 11:59:07 GMT
"getX509Certificates" calls "getCertificates" which (first) calls
"getCertificateChain" on the keystore. Your intermediate CA should have the
issuing CA certs stored as part of the entry in the keystore/truststore. Is
this not the case? Can you debug into getCertificates() and find out why it
is only returning a single cert?


On Fri, Apr 3, 2015 at 3:34 PM, <> wrote:

> Colm -
> While I was mucking around in Merlin, I noted that in the "second step"
> section of verifyTrust, only the immediate issuer of the cert to be checked
> is added to the cert path (at least in my case, when getX509Certificates
> only returns a single cert rather than a cert chain). I have a requirement
> to validate all the certs in the cert path, which in my case has an
> additional intermediate before getting to the trust anchor. I'm able to
> loop there and get everything into the cert path, which seems to get
> everything revocation checked so that is good. But I was curious why only
> the immediate issuer was added to begin with - is there some issue I should
> be considering that I'm not?
> There's also an open question (or rather, open disagreement) about
> revocation checking the Root CA cert, but this list is probably not the
> right place for that discussion.
> Stephen W. Chappell
> -----Original Message-----
> From: Chappell, Stephen CTR (FAA)
> Sent: Friday, April 03, 2015 9:56 AM
> To:;
> Subject: RE: Using a custom CertPathChecker
> Colm -
> No, I don't have any better suggestions. In fact, subclassing Merlin and
> adding a method to configure additional PKIX parameters is exactly what I
> did.
> Thanx,
> Stephen W. Chappell
> -----Original Message-----
> From: Colm O hEigeartaigh []
> Sent: Friday, April 03, 2015 9:47 AM
> To:
> Subject: Re: Using a custom CertPathChecker
> Hi Stephen,
> There is no way to add CertPathCheckers at the moment, beyond subclassing
> Merlin and overriding the "verifyTrust" method. I could add a method to
> customize the PKIXParameters object though, that could be overridden by a
> subclass though which would be better. Or do you have any other suggestions?
> Colm.
> On Tue, Mar 24, 2015 at 8:11 PM, <> wrote:
> > I have a requirement to use a custom CertPathChecker in my code. With
> > "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
> > hooks to add a custom checker or customize the PKIXParameters that are
> being used.
> > Is there some other means for adding a custom checker to the list that
> > isn't so obvious? I could subclass Merlin and sort of brute force it
> > in if necessary, but if there's another way to set that up I would
> > much rather do that.
> >
> > Stephen W. Chappell
> >
> --
> Colm O hEigeartaigh
> Talend Community Coder

Colm O hEigeartaigh

Talend Community Coder

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message