ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Allen Cronce <acro...@earthlink.net>
Subject SOLVED -> Help with CertPathValidatorException error?
Date Fri, 18 Nov 2005 16:09:45 GMT
As I thought, the problem is that Merlin.validateCertPath is not calling 
the provider aware variant of CertPathValidator.getInstance. I overrode 
validateCertPath in my Merlin derivation, and used the version of 
CertPathValidator.getInstance that allows me to specify the provider and 
it now works. I've appended the code change below.

I would call this a bug in Merlin.validateCertPath. Should I file a Jira 
bug or is this a known problem?

Best regards,
--
Allen Cronce

------------------------------

    public boolean validateCertPath(X509Certificate[] certs)
            throws WSSecurityException {

        try {
            // Generate cert path
            java.util.List certList = java.util.Arrays.asList(certs);
            CertPath path = this.getCertificateFactory().generateCertPath(
                    certList);

            // Use the certificates in the keystore as TrustAnchors
            PKIXParameters param = new PKIXParameters(this.keystore);

            // Do not check a revocation list
            param.setRevocationEnabled(false);

            // Verify the trust path using the above settings
            String provider = properties
                    
.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
            CertPathValidator certPathValidator;
            if (provider == null || provider.length() == 0) {
                certPathValidator = CertPathValidator.getInstance("PKIX");
            } else {
                certPathValidator = CertPathValidator.getInstance("PKIX",
                        provider);
            }
            certPathValidator.validate(path, param);
        } catch (NoSuchProviderException ex) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "certpath", new Object[] { ex.getMessage() },
                    (Throwable) ex);
        } catch (NoSuchAlgorithmException ex) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "certpath", new Object[] { ex.getMessage() },
                    (Throwable) ex);
        } catch (CertificateException ex) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "certpath", new Object[] { ex.getMessage() },
                    (Throwable) ex);
        } catch (InvalidAlgorithmParameterException ex) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "certpath", new Object[] { ex.getMessage() },
                    (Throwable) ex);
        } catch (CertPathValidatorException ex) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "certpath", new Object[] { ex.getMessage() },
                    (Throwable) ex);
        } catch (KeyStoreException ex) {
            throw new WSSecurityException(WSSecurityException.FAILURE,
                    "certpath", new Object[] { ex.getMessage() },
                    (Throwable) ex);
        }

        return true;
    }


Allen Cronce wrote:
> Hi all,
>
> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use 
> digital signatures with certificates issued from the same root. 
> Because I have my own keystore in memory, I've derived new objects 
> supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender. 
> The keystore is Bouncy Castle Uber. Both the client and server side 
> keystores have the root certificate installed as a trusted certificate 
> entry.
>
> On the server side I get the following error when verifying the 
> signer's certificate:
>
> java.security.cert.CertPathValidatorException: signature check failed; 
> internal cause is:
>    java.lang.IllegalArgumentException: missing provider
>
> I've verified in the debugger that the certificate chain provided to 
> Merlin.validateCertPath is valid. Does this error mean that 
> validateCertPath is instancing a CertPathValidator that doesn't know 
> about the BC provider?
>
> I suppose that I can work around this error by overriding verifyTrust 
> and implementing my own certificate validation. But I was hoping to 
> keep my overrides to a minimum.
>
> Any suggestions regarding how to resolve this issue would be appreciated.
>
> Best regards,
> -- 
> Allen Cronce
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message