Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8522817DE9 for ; Tue, 7 Apr 2015 15:02:57 +0000 (UTC) Received: (qmail 20022 invoked by uid 500); 7 Apr 2015 15:02:52 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 19948 invoked by uid 500); 7 Apr 2015 15:02:51 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 19780 invoked by uid 99); 7 Apr 2015 15:02:51 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 15:02:51 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [209.85.216.175] (HELO mail-qc0-f175.google.com) (209.85.216.175) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 15:02:24 +0000 Received: by qcgx3 with SMTP id x3so21869780qcg.3 for ; Tue, 07 Apr 2015 08:01:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=P5XvNCL6HbJd6U3J8QajTqA7vTLU3zTIyVLPNYZJLcg=; b=WJUQjxerqhA+dzL0Z5o88n1rEEKbeO8VuW+jgx/2uYmqzWDxlgwLyn2xHHpKMcJcKT LfrXOAYWsAAIdPhq/nT8+sa0E31dqM2G7sQcx861+oV2ddKmdbpwJ+fCL9doLpnVQEhE zRc3ue+IINzDZM7go4QOEcHus1TQowO2WuRodOX/LGLEBYXdLNPp4WoDD0erjZoOX5fg 934g/FWOYRxcle6toKCg1PopkWY3Agz5RFDjDqUbjqQK+iTIofQXRZ5YcajXhub+toay keM5vO4WRYLBtVNBNBicXOIkJoDuIjXf6jWSnfTyKW71NlSTOSEOoGdrIludtc6A6FzG Rq2g== X-Gm-Message-State: ALoCoQnw/p2CykBb+dQXtSOAPm/afV+WM2UiEmkc47dsyTTkZUlSEp46seHRlYnKWthC+Ugo1Y4h X-Received: by 10.140.32.202 with SMTP id h68mr23688096qgh.77.1428418874272; Tue, 07 Apr 2015 08:01:14 -0700 (PDT) Received: from [127.0.0.1] (ec2-54-175-152-49.compute-1.amazonaws.com. [54.175.152.49]) by mx.google.com with ESMTPSA id w186sm5493651qkw.27.2015.04.07.08.01.10 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 07 Apr 2015 08:01:13 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.4.8.150116 Date: Tue, 07 Apr 2015 11:01:05 -0400 Subject: Re: Using a custom CertPathChecker From: Vishnu Radhakrishnan To: , Message-ID: Thread-Topic: Using a custom CertPathChecker References: <2AF57F3BA98ED14499D518E94F44EA5D1D6B21EB@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B4BB2@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B4C0D@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B529E@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B52EB@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B539E@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B53DE@006FCH1MPN2-022.006f.mgd2.msft.net> In-Reply-To: <2AF57F3BA98ED14499D518E94F44EA5D1D6B53DE@006FCH1MPN2-022.006f.mgd2.msft.net> Mime-version: 1.0 Content-type: text/plain; charset="EUC-KR" Content-transfer-encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many certificates are listed before you import the keystore into JKS format. Also check the alias on the certs if they are the same they won=A1=AFt be imported by default mykey is assigned as alias. Vishnu On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov" wrote: >Thanx, Vishnu. I saw that, and spent most of the morning trying to build >a cert chain that way. I started with PEM certs, cat'd them together in >the correct order, converted them to PKCS7 with openssl crl2pkcs7, and >imported the pkcs7 with keytool. In every case, keytool only imported one >cert, not the whole chain. Maybe this is a Java issue (I'm using Java 6), >but the man page says it should work. It also says that if you import a >cert with a private key, that it'll build a cert chain ... when I tried >that with a server cert I had, it built a cert chain of length 1 instead >of 3. That's when I posted the question. > >Stephen W. Chappell > >-----Original Message----- >From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com] >Sent: Tuesday, April 07, 2015 10:28 AM >To: users@cxf.apache.org; coheigea@apache.org >Subject: Re: Using a custom CertPathChecker > >From the keytool man - it imports certificate chain, if input is given in >PKCS#7 format, otherwise only the single certificate is imported. You >should be able to convert certificates to PKCS#7 format with openssl, via >openssl crl2pkcs7 command. > > >On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov" > wrote: > >>Colm - >> >>This seems like it should be easier than it is, but can you point me to >>a resource for properly building a truststore with a certificate chain? >>I have separate keystores and trust stores for the STS, and the >>truststore should have a chain something like: >> >>Root CA >>> Intermediate CA >>> Issuing CA >> >>I had thought that if I added them with keytool in the right order, >>that keytool would establish a cert chain. Instead it just adds them as >>individual certificates with no cert chain to be found. >> >>Stephen W. Chappell >> >>-----Original Message----- >>From: Chappell, Stephen CTR (FAA) >>Sent: Tuesday, April 07, 2015 8:21 AM >>To: coheigea@apache.org >>Cc: users@cxf.apache.org >>Subject: RE: Using a custom CertPathChecker >> >>Well, that must be the issue. I just ran it through the debugger, and >>getCertificateChain is returning null each time. I=A9=F6ve added code in my >>subclassed Merlin to be able to walk up the tree, but it=A9=F6d be more >>efficient if the truststore was built properly so I=A9=F6ll try to figure >>that out. >> >>Stephen W. Chappell >> >>From: Colm O hEigeartaigh [mailto:coheigea@apache.org] >>Sent: Tuesday, April 07, 2015 8:12 AM >>To: Chappell, Stephen CTR (FAA) >>Cc: users@cxf.apache.org >>Subject: Re: Using a custom CertPathChecker >> >>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain >>using individual certs stored in the truststore, the intermediate cert >>must have the issuing cert stored as part of the certificate chain entry. >>Colm. >> >>On Tue, Apr 7, 2015 at 1:02 PM, >>> >>wrote: >>Colm =A1=A9 >> >>That is the case, at least I thought it was. The truststore has certs >>for the issuer, intermediate, and root CA, plus a few other >>miscellaneous certs. I=A9=F6ll run it through the debugger later this >>morning and see what turns up. >> >>Stephen W. Chappell >> >>From: Colm O hEigeartaigh >>[mailto:coheigea@apache.org] >>Sent: Tuesday, April 07, 2015 7:59 AM >>To: Chappell, Stephen CTR (FAA) >>Cc: users@cxf.apache.org >>Subject: Re: Using a custom CertPathChecker >> >>"getX509Certificates" calls "getCertificates" which (first) calls >>"getCertificateChain" on the keystore. Your intermediate CA should have >>the issuing CA certs stored as part of the entry in the >>keystore/truststore. Is this not the case? Can you debug into >>getCertificates() and find out why it is only returning a single cert? >>Colm. >> >>On Fri, Apr 3, 2015 at 3:34 PM, >>> >>wrote: >>Colm - >> >>While I was mucking around in Merlin, I noted that in the "second step" >>section of verifyTrust, only the immediate issuer of the cert to be >>checked is added to the cert path (at least in my case, when >>getX509Certificates only returns a single cert rather than a cert chain). >>I have a requirement to validate all the certs in the cert path, which >>in my case has an additional intermediate before getting to the trust >>anchor. I'm able to loop there and get everything into the cert path, >>which seems to get everything revocation checked so that is good. But I >>was curious why only the immediate issuer was added to begin with - is >>there some issue I should be considering that I'm not? >> >>There's also an open question (or rather, open disagreement) about >>revocation checking the Root CA cert, but this list is probably not the >>right place for that discussion. >> >>Stephen W. Chappell >> >>-----Original Message----- >>From: Chappell, Stephen CTR (FAA) >>Sent: Friday, April 03, 2015 9:56 AM >>To: users@cxf.apache.org; >>coheigea@apache.org >>Subject: RE: Using a custom CertPathChecker >> >>Colm - >> >>No, I don't have any better suggestions. In fact, subclassing Merlin >>and adding a method to configure additional PKIX parameters is exactly >>what I did. >> >>Thanx, >>Stephen W. Chappell >> >>-----Original Message----- >>From: Colm O hEigeartaigh >>[mailto:coheigea@apache.org] >>Sent: Friday, April 03, 2015 9:47 AM >>To: users@cxf.apache.org >>Subject: Re: Using a custom CertPathChecker >> >>Hi Stephen, >> >>There is no way to add CertPathCheckers at the moment, beyond >>subclassing Merlin and overriding the "verifyTrust" method. I could add >>a method to customize the PKIXParameters object though, that could be >>overridden by a subclass though which would be better. Or do you have >>any other suggestions? >> >>Colm. >> >>On Tue, Mar 24, 2015 at 8:11 PM, >>> >>wrote: >> >>> I have a requirement to use a custom CertPathChecker in my code. With >>>"bare" JVM, I can add the checker to my PKIXParameters and validate >>>away. >>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any >>>hooks to add a custom checker or customize the PKIXParameters that are >>>being used. >>> Is there some other means for adding a custom checker to the list >>>that isn't so obvious? I could subclass Merlin and sort of brute >>>force it in if necessary, but if there's another way to set that up I >>>would much rather do that. >>> >>> Stephen W. Chappell >>> >> >> >> >>-- >>Colm O hEigeartaigh >> >>Talend Community Coder >>http://coders.talend.com >> >> >> >>-- >>Colm O hEigeartaigh >> >>Talend Community Coder >>http://coders.talend.com >> >> >> >>-- >>Colm O hEigeartaigh >> >>Talend Community Coder >>http://coders.talend.com > >