ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <dava...@gmail.com>
Subject Re: SOLVED -> Help with CertPathValidatorException error?
Date Fri, 18 Nov 2005 19:39:30 GMT
Please open a JIRA bug.

-- dims

On 11/18/05, Allen Cronce <acronce@earthlink.net> wrote:
> As I thought, the problem is that Merlin.validateCertPath is not calling
> the provider aware variant of CertPathValidator.getInstance. I overrode
> validateCertPath in my Merlin derivation, and used the version of
> CertPathValidator.getInstance that allows me to specify the provider and
> it now works. I've appended the code change below.
>
> I would call this a bug in Merlin.validateCertPath. Should I file a Jira
> bug or is this a known problem?
>
> Best regards,
> --
> Allen Cronce
>
> ------------------------------
>
>     public boolean validateCertPath(X509Certificate[] certs)
>             throws WSSecurityException {
>
>         try {
>             // Generate cert path
>             java.util.List certList = java.util.Arrays.asList(certs);
>             CertPath path = this.getCertificateFactory().generateCertPath(
>                     certList);
>
>             // Use the certificates in the keystore as TrustAnchors
>             PKIXParameters param = new PKIXParameters(this.keystore);
>
>             // Do not check a revocation list
>             param.setRevocationEnabled(false);
>
>             // Verify the trust path using the above settings
>             String provider = properties
>
> .getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
>             CertPathValidator certPathValidator;
>             if (provider == null || provider.length() == 0) {
>                 certPathValidator = CertPathValidator.getInstance("PKIX");
>             } else {
>                 certPathValidator = CertPathValidator.getInstance("PKIX",
>                         provider);
>             }
>             certPathValidator.validate(path, param);
>         } catch (NoSuchProviderException ex) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "certpath", new Object[] { ex.getMessage() },
>                     (Throwable) ex);
>         } catch (NoSuchAlgorithmException ex) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "certpath", new Object[] { ex.getMessage() },
>                     (Throwable) ex);
>         } catch (CertificateException ex) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "certpath", new Object[] { ex.getMessage() },
>                     (Throwable) ex);
>         } catch (InvalidAlgorithmParameterException ex) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "certpath", new Object[] { ex.getMessage() },
>                     (Throwable) ex);
>         } catch (CertPathValidatorException ex) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "certpath", new Object[] { ex.getMessage() },
>                     (Throwable) ex);
>         } catch (KeyStoreException ex) {
>             throw new WSSecurityException(WSSecurityException.FAILURE,
>                     "certpath", new Object[] { ex.getMessage() },
>                     (Throwable) ex);
>         }
>
>         return true;
>     }
>
>
> Allen Cronce wrote:
> > Hi all,
> >
> > I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use
> > digital signatures with certificates issued from the same root.
> > Because I have my own keystore in memory, I've derived new objects
> > supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender.
> > The keystore is Bouncy Castle Uber. Both the client and server side
> > keystores have the root certificate installed as a trusted certificate
> > entry.
> >
> > On the server side I get the following error when verifying the
> > signer's certificate:
> >
> > java.security.cert.CertPathValidatorException: signature check failed;
> > internal cause is:
> >    java.lang.IllegalArgumentException: missing provider
> >
> > I've verified in the debugger that the certificate chain provided to
> > Merlin.validateCertPath is valid. Does this error mean that
> > validateCertPath is instancing a CertPathValidator that doesn't know
> > about the BC provider?
> >
> > I suppose that I can work around this error by overriding verifyTrust
> > and implementing my own certificate validation. But I was hoping to
> > keep my overrides to a minimum.
> >
> > Any suggestions regarding how to resolve this issue would be appreciated.
> >
> > Best regards,
> > --
> > Allen Cronce
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>


--
Davanum Srinivas : http://wso2.com/blogs/

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message