ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-27) Merlin.validateCertPath doesn't work with alternate providers
Date Mon, 03 Oct 2011 09:04:42 GMT

     [ https://issues.apache.org/jira/browse/WSS-27?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-27.
----------------------------------

    
> Merlin.validateCertPath doesn't work with alternate providers
> -------------------------------------------------------------
>
>                 Key: WSS-27
>                 URL: https://issues.apache.org/jira/browse/WSS-27
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, Standard
Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 1.4.2-54, mixed mode), Mac
OS X 10.4.3
>            Reporter: Allen Cronce
>            Assignee: Davanum Srinivas
>
> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital signatures
with certificates issued from the same root. Because I have my own keystore in memory, I've
derived new objects supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender.
The keystore is Bouncy Castle Uber. Both the client and server side keystores have the root
certificate installed as a trusted certificate entry.
> On the server side I get the following error when verifying the signer's certificate:
> java.security.cert.CertPathValidatorException: signature check failed; internal cause
is:
>    java.lang.IllegalArgumentException: missing provider
> I've verified in the debugger that the certificate chain provided to Merlin.validateCertPath
is valid.
> In looking at the code, I've determined that Merlin.validateCertPath is not calling the
provider aware variant of CertPathValidator.getInstance. I overrode validateCertPath in my
Merlin derivation, and used the version of CertPathValidator.getInstance that allows me to
specify the provider and it now works.
> So the bug is that Merlin.validateCertPath needs to support alternate providers. Here's
the fixed version of the method:
> 	/**
> 	 * Overridden because there's a bug in the base class where they don't use
> 	 * the provider variant for the certificate validator.
> 	 * 
> 	 * @param certs
> 	 *            Certificate chain to validate
> 	 * @return true if the certificate chain is valid, false otherwise
> 	 * @throws WSSecurityException
> 	 */
> 	public boolean validateCertPath(X509Certificate[] certs)
> 			throws WSSecurityException {
> 		try {
> 			// Generate cert path
> 			java.util.List certList = java.util.Arrays.asList(certs);
> 			CertPath path = this.getCertificateFactory().generateCertPath(
> 					certList);
> 			// Use the certificates in the keystore as TrustAnchors
> 			PKIXParameters param = new PKIXParameters(this.keystore);
> 			// Do not check a revocation list
> 			param.setRevocationEnabled(false);
> 			// Verify the trust path using the above settings
> 			String provider = properties
> 					.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
> 			CertPathValidator certPathValidator;
> 			if (provider == null || provider.length() == 0) {
> 				certPathValidator = CertPathValidator.getInstance("PKIX");
> 			} else {
> 				certPathValidator = CertPathValidator.getInstance("PKIX",
> 						provider);
> 			}
> 			certPathValidator.validate(path, param);
> 		} catch (NoSuchProviderException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (NoSuchAlgorithmException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (CertificateException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (InvalidAlgorithmParameterException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (CertPathValidatorException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (KeyStoreException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		}
> 		return true;
> 	}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message