Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D4EDF178A7 for ; Tue, 7 Apr 2015 17:47:17 +0000 (UTC) Received: (qmail 4029 invoked by uid 500); 7 Apr 2015 17:47:14 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 3971 invoked by uid 500); 7 Apr 2015 17:47:14 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 3960 invoked by uid 99); 7 Apr 2015 17:47:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 17:47:13 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [209.85.220.179] (HELO mail-qk0-f179.google.com) (209.85.220.179) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 17:46:48 +0000 Received: by qkhg7 with SMTP id g7so56549687qkh.2 for ; Tue, 07 Apr 2015 10:45:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=6RnyzmOogYSMvvBLnCg1qBof21rJNZPXCAeXhXBvrhY=; b=K3qeCqxeWNk8FcvvDEkL9YywtikHeqR8wqIEBo+X13dXqXyMbXocBHQq7J7uw4h4gh VJ3ZmTRR16sRQyAcX7ueIVl5N/lrgLO8M6vxKhTa3J89+HU8HMRIq7lf4t0GPrqG4ddJ lFSi/SzTt6IfZgGQyoLGtMpdmnnMuWIHxE5aKwnC9WhpKsic0HwFpJxI4no1bcPFRHZK iJjpvajDu1CSPB1NO8oLKk2gxqP+//F38C2N/RxyQ91LKuIOCwhF4NnQM8kTZp7NzTvk BtQf2Vlb/rX3XqHqi6a4Uco73AdsIFBTcuNHnlwZ5YxsuVAvXm5M8rV8v474x+FSwYTN /L7Q== X-Gm-Message-State: ALoCoQm+U6xho4l/RL5GGGG841KvmxtXaT1VQR9KBFuVBSQ9GQG4BKGN0ja8sqFZ+8LWGI7de1yS X-Received: by 10.55.20.87 with SMTP id e84mr40718625qkh.43.1428428741412; Tue, 07 Apr 2015 10:45:41 -0700 (PDT) Received: from [127.0.0.1] (ec2-54-175-152-49.compute-1.amazonaws.com. [54.175.152.49]) by mx.google.com with ESMTPSA id a62sm5858024qge.49.2015.04.07.10.45.39 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 07 Apr 2015 10:45:40 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.4.8.150116 Date: Tue, 07 Apr 2015 13:45:35 -0400 Subject: Re: Using a custom CertPathChecker From: Vishnu Radhakrishnan To: , Message-ID: Thread-Topic: Using a custom CertPathChecker References: <2AF57F3BA98ED14499D518E94F44EA5D1D6B21EB@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B4BB2@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B4C0D@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B529E@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B52EB@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B539E@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B53DE@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B548D@006FCH1MPN2-022.006f.mgd2.msft.net> <2AF57F3BA98ED14499D518E94F44EA5D1D6B54FA@006FCH1MPN2-022.006f.mgd2.msft.net> In-Reply-To: <2AF57F3BA98ED14499D518E94F44EA5D1D6B54FA@006FCH1MPN2-022.006f.mgd2.msft.net> Mime-version: 1.0 Content-type: text/plain; charset="EUC-KR" Content-transfer-encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org As far as I know you can=A1=AFt do private keys with PKCS7 format. Try the PKCS12 format. Vishnu On 2015-04-07, 13:35, "Stephen.CTR.Chappell@faa.gov" wrote: >So here is where I am at ... > >* If I cat the certificate pem files together, only one cert ever gets >imported no matter the order of cat'ing. Removing the ----- BEGIN and >---- END tags doesn't help at all >* If I use openssl crl2pkcs7 to create a pkcs7 file containing all the >certs, keytool won't import it (java.lang.Exception: Input not an X.509 >certificate) >* pkcs12 is not an option because there is no private keys - this is a >trust store only > >I'm about out of ideas for this, and from what I can see JKS files only >really want to have certificate chains when there is a private key >involved. I subclassed Merlin to build a trust chain, as I described in >the original email, so I guess I will stick with that solution. > >Stephen W. Chappell > >-----Original Message----- >From: Chappell, Stephen CTR (FAA) >Sent: Tuesday, April 07, 2015 12:22 PM >To: users@cxf.apache.org; coheigea@apache.org >Subject: RE: Using a custom CertPathChecker > >I thought I needed PKCS7, not PKCS12? > >Stephen W. Chappell >-----Original Message----- >From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com] >Sent: Tuesday, April 07, 2015 11:01 AM >To: users@cxf.apache.org; coheigea@apache.org >Subject: Re: Using a custom CertPathChecker > >keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many >certificates are listed before you import the keystore into JKS format. >Also check the alias on the certs if they are the same they won't be >imported by default mykey is assigned as alias. > >Vishnu > > >On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov" > wrote: > >>Thanx, Vishnu. I saw that, and spent most of the morning trying to >>build a cert chain that way. I started with PEM certs, cat'd them >>together in the correct order, converted them to PKCS7 with openssl >>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool >>only imported one cert, not the whole chain. Maybe this is a Java issue >>(I'm using Java 6), but the man page says it should work. It also says >>that if you import a cert with a private key, that it'll build a cert >>chain ... when I tried that with a server cert I had, it built a cert >>chain of length 1 instead of 3. That's when I posted the question. >> >>Stephen W. Chappell >> >>-----Original Message----- >>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com] >>Sent: Tuesday, April 07, 2015 10:28 AM >>To: users@cxf.apache.org; coheigea@apache.org >>Subject: Re: Using a custom CertPathChecker >> >>From the keytool man - it imports certificate chain, if input is given >>in >>PKCS#7 format, otherwise only the single certificate is imported. You >>should be able to convert certificates to PKCS#7 format with openssl, >>via openssl crl2pkcs7 command. >> >> >>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov" >> wrote: >> >>>Colm - >>> >>>This seems like it should be easier than it is, but can you point me >>>to a resource for properly building a truststore with a certificate >>>chain? >>>I have separate keystores and trust stores for the STS, and the >>>truststore should have a chain something like: >>> >>>Root CA >>> Intermediate CA >>> Issuing CA >>> >>>I had thought that if I added them with keytool in the right order, >>>that keytool would establish a cert chain. Instead it just adds them >>>as individual certificates with no cert chain to be found. >>> >>>Stephen W. Chappell >>> >>>-----Original Message----- >>>From: Chappell, Stephen CTR (FAA) >>>Sent: Tuesday, April 07, 2015 8:21 AM >>>To: coheigea@apache.org >>>Cc: users@cxf.apache.org >>>Subject: RE: Using a custom CertPathChecker >>> >>>Well, that must be the issue. I just ran it through the debugger, and >>>getCertificateChain is returning null each time. I=A9=F6ve added code in my >>>subclassed Merlin to be able to walk up the tree, but it=A9=F6d be more >>>efficient if the truststore was built properly so I=A9=F6ll try to figure >>>that out. >>> >>>Stephen W. Chappell >>> >>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org] >>>Sent: Tuesday, April 07, 2015 8:12 AM >>>To: Chappell, Stephen CTR (FAA) >>>Cc: users@cxf.apache.org >>>Subject: Re: Using a custom CertPathChecker >>> >>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain >>>using individual certs stored in the truststore, the intermediate cert >>>must have the issuing cert stored as part of the certificate chain >>>entry. >>>Colm. >>> >>>On Tue, Apr 7, 2015 at 1:02 PM, >>>> >>>wrote: >>>Colm =A1=A9 >>> >>>That is the case, at least I thought it was. The truststore has certs >>>for the issuer, intermediate, and root CA, plus a few other >>>miscellaneous certs. I=A9=F6ll run it through the debugger later this >>>morning and see what turns up. >>> >>>Stephen W. Chappell >>> >>>From: Colm O hEigeartaigh >>>[mailto:coheigea@apache.org] >>>Sent: Tuesday, April 07, 2015 7:59 AM >>>To: Chappell, Stephen CTR (FAA) >>>Cc: users@cxf.apache.org >>>Subject: Re: Using a custom CertPathChecker >>> >>>"getX509Certificates" calls "getCertificates" which (first) calls >>>"getCertificateChain" on the keystore. Your intermediate CA should >>>have the issuing CA certs stored as part of the entry in the >>>keystore/truststore. Is this not the case? Can you debug into >>>getCertificates() and find out why it is only returning a single cert? >>>Colm. >>> >>>On Fri, Apr 3, 2015 at 3:34 PM, >>>> >>>wrote: >>>Colm - >>> >>>While I was mucking around in Merlin, I noted that in the "second step" >>>section of verifyTrust, only the immediate issuer of the cert to be >>>checked is added to the cert path (at least in my case, when >>>getX509Certificates only returns a single cert rather than a cert >>>chain). >>>I have a requirement to validate all the certs in the cert path, which >>>in my case has an additional intermediate before getting to the trust >>>anchor. I'm able to loop there and get everything into the cert path, >>>which seems to get everything revocation checked so that is good. But >>>I was curious why only the immediate issuer was added to begin with - >>>is there some issue I should be considering that I'm not? >>> >>>There's also an open question (or rather, open disagreement) about >>>revocation checking the Root CA cert, but this list is probably not >>>the right place for that discussion. >>> >>>Stephen W. Chappell >>> >>>-----Original Message----- >>>From: Chappell, Stephen CTR (FAA) >>>Sent: Friday, April 03, 2015 9:56 AM >>>To: users@cxf.apache.org; >>>coheigea@apache.org >>>Subject: RE: Using a custom CertPathChecker >>> >>>Colm - >>> >>>No, I don't have any better suggestions. In fact, subclassing Merlin >>>and adding a method to configure additional PKIX parameters is exactly >>>what I did. >>> >>>Thanx, >>>Stephen W. Chappell >>> >>>-----Original Message----- >>>From: Colm O hEigeartaigh >>>[mailto:coheigea@apache.org] >>>Sent: Friday, April 03, 2015 9:47 AM >>>To: users@cxf.apache.org >>>Subject: Re: Using a custom CertPathChecker >>> >>>Hi Stephen, >>> >>>There is no way to add CertPathCheckers at the moment, beyond >>>subclassing Merlin and overriding the "verifyTrust" method. I could >>>add a method to customize the PKIXParameters object though, that could >>>be overridden by a subclass though which would be better. Or do you >>>have any other suggestions? >>> >>>Colm. >>> >>>On Tue, Mar 24, 2015 at 8:11 PM, >>>> >>>wrote: >>> >>>> I have a requirement to use a custom CertPathChecker in my code. >>>>With "bare" JVM, I can add the checker to my PKIXParameters and >>>>validate away. >>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any >>>>hooks to add a custom checker or customize the PKIXParameters that >>>>are being used. >>>> Is there some other means for adding a custom checker to the list >>>>that isn't so obvious? I could subclass Merlin and sort of brute >>>>force it in if necessary, but if there's another way to set that up >>>>I would much rather do that. >>>> >>>> Stephen W. Chappell >>>> >>> >>> >>> >>>-- >>>Colm O hEigeartaigh >>> >>>Talend Community Coder >>>http://coders.talend.com >>> >>> >>> >>>-- >>>Colm O hEigeartaigh >>> >>>Talend Community Coder >>>http://coders.talend.com >>> >>> >>> >>>-- >>>Colm O hEigeartaigh >>> >>>Talend Community Coder >>>http://coders.talend.com >> >> > >