cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vishnu Radhakrishnan <vis...@10point1.com>
Subject Re: Using a custom CertPathChecker
Date Tue, 07 Apr 2015 17:45:35 GMT
As far as I know you can’t do private keys with PKCS7 format. Try the
PKCS12 format.


Vishnu

On 2015-04-07, 13:35, "Stephen.CTR.Chappell@faa.gov"
<Stephen.CTR.Chappell@faa.gov> wrote:

>So here is where I am at ...
>
>* If I cat the certificate pem files together, only one cert ever gets
>imported no matter the order of cat'ing. Removing the ----- BEGIN and
>---- END tags doesn't help at all
>* If I use openssl crl2pkcs7 to create a pkcs7 file containing all the
>certs, keytool won't import it (java.lang.Exception: Input not an X.509
>certificate)
>* pkcs12 is not an option because there is no private keys - this is a
>trust store only
>
>I'm about out of ideas for this, and from what I can see JKS files only
>really want to have certificate chains when there is a private key
>involved. I subclassed Merlin to build a trust chain, as I described in
>the original email, so I guess I will stick with that solution.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Tuesday, April 07, 2015 12:22 PM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: RE: Using a custom CertPathChecker
>
>I thought I needed PKCS7, not PKCS12?
>
>Stephen W. Chappell
>-----Original Message-----
>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>Sent: Tuesday, April 07, 2015 11:01 AM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: Re: Using a custom CertPathChecker
>
>keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many
>certificates are listed before you import the keystore into JKS format.
>Also check the alias on the certs if they are the same they won't be
>imported by default mykey is assigned as alias.
>
>Vishnu
>
>
>On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov"
><Stephen.CTR.Chappell@faa.gov> wrote:
>
>>Thanx, Vishnu. I saw that, and spent most of the morning trying to
>>build a cert chain that way. I started with PEM certs, cat'd them
>>together in the correct order, converted them to PKCS7 with openssl
>>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool
>>only imported one cert, not the whole chain. Maybe this is a Java issue
>>(I'm using Java 6), but the man page says it should work. It also says
>>that if you import a cert with a private key, that it'll build a cert
>>chain ... when I tried that with a server cert I had, it built a cert
>>chain of length 1 instead of 3. That's when I posted the question.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>>Sent: Tuesday, April 07, 2015 10:28 AM
>>To: users@cxf.apache.org; coheigea@apache.org
>>Subject: Re: Using a custom CertPathChecker
>>
>>From the keytool man - it imports certificate chain, if input is given
>>in
>>PKCS#7 format, otherwise only the single certificate is imported. You
>>should be able to convert certificates to PKCS#7 format with openssl,
>>via openssl crl2pkcs7 command.
>>
>>
>>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
>><Stephen.CTR.Chappell@faa.gov> wrote:
>>
>>>Colm -
>>>
>>>This seems like it should be easier than it is, but can you point me
>>>to a resource for properly building a truststore with a certificate
>>>chain?
>>>I have separate keystores and trust stores for the STS, and the
>>>truststore should have a chain something like:
>>>
>>>Root CA >>> Intermediate CA >>> Issuing CA
>>>
>>>I had thought that if I added them with keytool in the right order,
>>>that keytool would establish a cert chain. Instead it just adds them
>>>as individual certificates with no cert chain to be found.
>>>
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Chappell, Stephen CTR (FAA)
>>>Sent: Tuesday, April 07, 2015 8:21 AM
>>>To: coheigea@apache.org
>>>Cc: users@cxf.apache.org
>>>Subject: RE: Using a custom CertPathChecker
>>>
>>>Well, that must be the issue. I just ran it through the debugger, and
>>>getCertificateChain is returning null each time. I¹ve added code in my
>>>subclassed Merlin to be able to walk up the tree, but it¹d be more
>>>efficient if the truststore was built properly so I¹ll try to figure
>>>that out.
>>>
>>>Stephen W. Chappell
>>>
>>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>>Sent: Tuesday, April 07, 2015 8:12 AM
>>>To: Chappell, Stephen CTR (FAA)
>>>Cc: users@cxf.apache.org
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain
>>>using individual certs stored in the truststore, the intermediate cert
>>>must have the issuing cert stored as part of the certificate chain
>>>entry.
>>>Colm.
>>>
>>>On Tue, Apr 7, 2015 at 1:02 PM,
>>><Stephen.CTR.Chappell@faa.gov<mailto:Stephen.CTR.Chappell@faa.gov>>
>>>wrote:
>>>Colm ­
>>>
>>>That is the case, at least I thought it was. The truststore has certs
>>>for the issuer, intermediate, and root CA, plus a few other
>>>miscellaneous certs. I¹ll run it through the debugger later this
>>>morning and see what turns up.
>>>
>>>Stephen W. Chappell
>>>
>>>From: Colm O hEigeartaigh
>>>[mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
>>>Sent: Tuesday, April 07, 2015 7:59 AM
>>>To: Chappell, Stephen CTR (FAA)
>>>Cc: users@cxf.apache.org<mailto:users@cxf.apache.org>
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>"getX509Certificates" calls "getCertificates" which (first) calls
>>>"getCertificateChain" on the keystore. Your intermediate CA should
>>>have the issuing CA certs stored as part of the entry in the
>>>keystore/truststore. Is this not the case? Can you debug into
>>>getCertificates() and find out why it is only returning a single cert?
>>>Colm.
>>>
>>>On Fri, Apr 3, 2015 at 3:34 PM,
>>><Stephen.CTR.Chappell@faa.gov<mailto:Stephen.CTR.Chappell@faa.gov>>
>>>wrote:
>>>Colm -
>>>
>>>While I was mucking around in Merlin, I noted that in the "second step"
>>>section of verifyTrust, only the immediate issuer of the cert to be
>>>checked is added to the cert path (at least in my case, when
>>>getX509Certificates only returns a single cert rather than a cert
>>>chain).
>>>I have a requirement to validate all the certs in the cert path, which
>>>in my case has an additional intermediate before getting to the trust
>>>anchor. I'm able to loop there and get everything into the cert path,
>>>which seems to get everything revocation checked so that is good. But
>>>I was curious why only the immediate issuer was added to begin with -
>>>is there some issue I should be considering that I'm not?
>>>
>>>There's also an open question (or rather, open disagreement) about
>>>revocation checking the Root CA cert, but this list is probably not
>>>the right place for that discussion.
>>>
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Chappell, Stephen CTR (FAA)
>>>Sent: Friday, April 03, 2015 9:56 AM
>>>To: users@cxf.apache.org<mailto:users@cxf.apache.org>;
>>>coheigea@apache.org<mailto:coheigea@apache.org>
>>>Subject: RE: Using a custom CertPathChecker
>>>
>>>Colm -
>>>
>>>No, I don't have any better suggestions. In fact, subclassing Merlin
>>>and adding a method to configure additional PKIX parameters is exactly
>>>what I did.
>>>
>>>Thanx,
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Colm O hEigeartaigh
>>>[mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
>>>Sent: Friday, April 03, 2015 9:47 AM
>>>To: users@cxf.apache.org<mailto:users@cxf.apache.org>
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>Hi Stephen,
>>>
>>>There is no way to add CertPathCheckers at the moment, beyond
>>>subclassing Merlin and overriding the "verifyTrust" method. I could
>>>add a method to customize the PKIXParameters object though, that could
>>>be overridden by a subclass though which would be better. Or do you
>>>have any other suggestions?
>>>
>>>Colm.
>>>
>>>On Tue, Mar 24, 2015 at 8:11 PM,
>>><Stephen.CTR.Chappell@faa.gov<mailto:Stephen.CTR.Chappell@faa.gov>>
>>>wrote:
>>>
>>>> I have a requirement to use a custom CertPathChecker in my code.
>>>>With "bare" JVM, I can add the checker to my PKIXParameters and
>>>>validate away.
>>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
>>>>hooks to add a custom checker or customize the PKIXParameters that
>>>>are being used.
>>>> Is there some other means for adding a custom checker to the list
>>>>that  isn't so obvious? I could subclass Merlin and sort of brute
>>>>force it  in if necessary, but if there's another way to set that up
>>>>I would  much rather do that.
>>>>
>>>> Stephen W. Chappell
>>>>
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>
>>
>
>



Mime
View raw message