Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1E10A174E8 for ; Tue, 7 Apr 2015 11:59:10 +0000 (UTC) Received: (qmail 15982 invoked by uid 500); 7 Apr 2015 11:59:09 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 15907 invoked by uid 500); 7 Apr 2015 11:59:09 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 15896 invoked by uid 99); 7 Apr 2015 11:59:09 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 11:59:09 +0000 Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 930CB1A0307 for ; Tue, 7 Apr 2015 11:59:08 +0000 (UTC) Received: by wiaa2 with SMTP id a2so15561373wia.0 for ; Tue, 07 Apr 2015 04:59:07 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.194.95.133 with SMTP id dk5mr38138847wjb.143.1428407947251; Tue, 07 Apr 2015 04:59:07 -0700 (PDT) Reply-To: coheigea@apache.org Received: by 10.28.149.194 with HTTP; Tue, 7 Apr 2015 04:59:07 -0700 (PDT) In-Reply-To: <2AF57F3BA98ED14499D518E94F44EA5D1D6B4C0D@006FCH1MPN2-022.006f.mgd2.msft.net> References: <2AF57F3BA98ED14499D518E94F44EA5D1D6B21EB@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B4BB2@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B4C0D@006FCH1MPN2-022.006f.mgd2.msft.net> Date: Tue, 7 Apr 2015 12:59:07 +0100 Message-ID: Subject: Re: Using a custom CertPathChecker From: Colm O hEigeartaigh To: Stephen Chappell Cc: "users@cxf.apache.org" Content-Type: multipart/alternative; boundary=047d7bb0397a4a5b460513212402 --047d7bb0397a4a5b460513212402 Content-Type: text/plain; charset=UTF-8 "getX509Certificates" calls "getCertificates" which (first) calls "getCertificateChain" on the keystore. Your intermediate CA should have the issuing CA certs stored as part of the entry in the keystore/truststore. Is this not the case? Can you debug into getCertificates() and find out why it is only returning a single cert? Colm. On Fri, Apr 3, 2015 at 3:34 PM, wrote: > Colm - > > While I was mucking around in Merlin, I noted that in the "second step" > section of verifyTrust, only the immediate issuer of the cert to be checked > is added to the cert path (at least in my case, when getX509Certificates > only returns a single cert rather than a cert chain). I have a requirement > to validate all the certs in the cert path, which in my case has an > additional intermediate before getting to the trust anchor. I'm able to > loop there and get everything into the cert path, which seems to get > everything revocation checked so that is good. But I was curious why only > the immediate issuer was added to begin with - is there some issue I should > be considering that I'm not? > > There's also an open question (or rather, open disagreement) about > revocation checking the Root CA cert, but this list is probably not the > right place for that discussion. > > Stephen W. Chappell > > -----Original Message----- > From: Chappell, Stephen CTR (FAA) > Sent: Friday, April 03, 2015 9:56 AM > To: users@cxf.apache.org; coheigea@apache.org > Subject: RE: Using a custom CertPathChecker > > Colm - > > No, I don't have any better suggestions. In fact, subclassing Merlin and > adding a method to configure additional PKIX parameters is exactly what I > did. > > Thanx, > Stephen W. Chappell > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > Sent: Friday, April 03, 2015 9:47 AM > To: users@cxf.apache.org > Subject: Re: Using a custom CertPathChecker > > Hi Stephen, > > There is no way to add CertPathCheckers at the moment, beyond subclassing > Merlin and overriding the "verifyTrust" method. I could add a method to > customize the PKIXParameters object though, that could be overridden by a > subclass though which would be better. Or do you have any other suggestions? > > Colm. > > On Tue, Mar 24, 2015 at 8:11 PM, wrote: > > > I have a requirement to use a custom CertPathChecker in my code. With > > "bare" JVM, I can add the checker to my PKIXParameters and validate away. > > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any > > hooks to add a custom checker or customize the PKIXParameters that are > being used. > > Is there some other means for adding a custom checker to the list that > > isn't so obvious? I could subclass Merlin and sort of brute force it > > in if necessary, but if there's another way to set that up I would > > much rather do that. > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --047d7bb0397a4a5b460513212402--