You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org> on 2011/10/03 11:04:42 UTC

[jira] [Closed] (WSS-27) Merlin.validateCertPath doesn't work with alternate providers

     [ https://issues.apache.org/jira/browse/WSS-27?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed WSS-27.
----------------------------------

    
> Merlin.validateCertPath doesn't work with alternate providers
> -------------------------------------------------------------
>
>                 Key: WSS-27
>                 URL: https://issues.apache.org/jira/browse/WSS-27
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 1.4.2-54, mixed mode), Mac OS X 10.4.3
>            Reporter: Allen Cronce
>            Assignee: Davanum Srinivas
>
> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital signatures with certificates issued from the same root. Because I have my own keystore in memory, I've derived new objects supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender. The keystore is Bouncy Castle Uber. Both the client and server side keystores have the root certificate installed as a trusted certificate entry.
> On the server side I get the following error when verifying the signer's certificate:
> java.security.cert.CertPathValidatorException: signature check failed; internal cause is:
>    java.lang.IllegalArgumentException: missing provider
> I've verified in the debugger that the certificate chain provided to Merlin.validateCertPath is valid.
> In looking at the code, I've determined that Merlin.validateCertPath is not calling the provider aware variant of CertPathValidator.getInstance. I overrode validateCertPath in my Merlin derivation, and used the version of CertPathValidator.getInstance that allows me to specify the provider and it now works.
> So the bug is that Merlin.validateCertPath needs to support alternate providers. Here's the fixed version of the method:
> 	/**
> 	 * Overridden because there's a bug in the base class where they don't use
> 	 * the provider variant for the certificate validator.
> 	 * 
> 	 * @param certs
> 	 *            Certificate chain to validate
> 	 * @return true if the certificate chain is valid, false otherwise
> 	 * @throws WSSecurityException
> 	 */
> 	public boolean validateCertPath(X509Certificate[] certs)
> 			throws WSSecurityException {
> 		try {
> 			// Generate cert path
> 			java.util.List certList = java.util.Arrays.asList(certs);
> 			CertPath path = this.getCertificateFactory().generateCertPath(
> 					certList);
> 			// Use the certificates in the keystore as TrustAnchors
> 			PKIXParameters param = new PKIXParameters(this.keystore);
> 			// Do not check a revocation list
> 			param.setRevocationEnabled(false);
> 			// Verify the trust path using the above settings
> 			String provider = properties
> 					.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
> 			CertPathValidator certPathValidator;
> 			if (provider == null || provider.length() == 0) {
> 				certPathValidator = CertPathValidator.getInstance("PKIX");
> 			} else {
> 				certPathValidator = CertPathValidator.getInstance("PKIX",
> 						provider);
> 			}
> 			certPathValidator.validate(path, param);
> 		} catch (NoSuchProviderException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (NoSuchAlgorithmException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (CertificateException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (InvalidAlgorithmParameterException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (CertPathValidatorException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		} catch (KeyStoreException ex) {
> 			throw new WSSecurityException(WSSecurityException.FAILURE,
> 					"certpath", new Object[] { ex.getMessage() },
> 					(Throwable) ex);
> 		}
> 		return true;
> 	}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org