You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by "Allen Cronce (JIRA)" <ji...@apache.org> on 2005/11/20 16:50:25 UTC
[jira] Created: (WSS-27) Merlin.validateCertPath doesn't work with alternate providers
Merlin.validateCertPath doesn't work with alternate providers
-------------------------------------------------------------
Key: WSS-27
URL: http://issues.apache.org/jira/browse/WSS-27
Project: WSS4J
Type: Bug
Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 1.4.2-54, mixed mode), Mac OS X 10.4.3
Reporter: Allen Cronce
Assigned to: Davanum Srinivas
I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital signatures with certificates issued from the same root. Because I have my own keystore in memory, I've derived new objects supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender. The keystore is Bouncy Castle Uber. Both the client and server side keystores have the root certificate installed as a trusted certificate entry.
On the server side I get the following error when verifying the signer's certificate:
java.security.cert.CertPathValidatorException: signature check failed; internal cause is:
java.lang.IllegalArgumentException: missing provider
I've verified in the debugger that the certificate chain provided to Merlin.validateCertPath is valid.
In looking at the code, I've determined that Merlin.validateCertPath is not calling the provider aware variant of CertPathValidator.getInstance. I overrode validateCertPath in my Merlin derivation, and used the version of CertPathValidator.getInstance that allows me to specify the provider and it now works.
So the bug is that Merlin.validateCertPath needs to support alternate providers. Here's the fixed version of the method:
/**
* Overridden because there's a bug in the base class where they don't use
* the provider variant for the certificate validator.
*
* @param certs
* Certificate chain to validate
* @return true if the certificate chain is valid, false otherwise
* @throws WSSecurityException
*/
public boolean validateCertPath(X509Certificate[] certs)
throws WSSecurityException {
try {
// Generate cert path
java.util.List certList = java.util.Arrays.asList(certs);
CertPath path = this.getCertificateFactory().generateCertPath(
certList);
// Use the certificates in the keystore as TrustAnchors
PKIXParameters param = new PKIXParameters(this.keystore);
// Do not check a revocation list
param.setRevocationEnabled(false);
// Verify the trust path using the above settings
String provider = properties
.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
CertPathValidator certPathValidator;
if (provider == null || provider.length() == 0) {
certPathValidator = CertPathValidator.getInstance("PKIX");
} else {
certPathValidator = CertPathValidator.getInstance("PKIX",
provider);
}
certPathValidator.validate(path, param);
} catch (NoSuchProviderException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (NoSuchAlgorithmException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (CertificateException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (InvalidAlgorithmParameterException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (CertPathValidatorException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (KeyStoreException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
}
return true;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-27) Merlin.validateCertPath doesn't work with alternate providers
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-27?page=all ]
Davanum Srinivas resolved WSS-27:
---------------------------------
Resolution: Fixed
Fixed.
-- dims
> Merlin.validateCertPath doesn't work with alternate providers
> -------------------------------------------------------------
>
> Key: WSS-27
> URL: http://issues.apache.org/jira/browse/WSS-27
> Project: WSS4J
> Type: Bug
> Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 1.4.2-54, mixed mode), Mac OS X 10.4.3
> Reporter: Allen Cronce
> Assignee: Davanum Srinivas
>
> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital signatures with certificates issued from the same root. Because I have my own keystore in memory, I've derived new objects supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender. The keystore is Bouncy Castle Uber. Both the client and server side keystores have the root certificate installed as a trusted certificate entry.
> On the server side I get the following error when verifying the signer's certificate:
> java.security.cert.CertPathValidatorException: signature check failed; internal cause is:
> java.lang.IllegalArgumentException: missing provider
> I've verified in the debugger that the certificate chain provided to Merlin.validateCertPath is valid.
> In looking at the code, I've determined that Merlin.validateCertPath is not calling the provider aware variant of CertPathValidator.getInstance. I overrode validateCertPath in my Merlin derivation, and used the version of CertPathValidator.getInstance that allows me to specify the provider and it now works.
> So the bug is that Merlin.validateCertPath needs to support alternate providers. Here's the fixed version of the method:
> /**
> * Overridden because there's a bug in the base class where they don't use
> * the provider variant for the certificate validator.
> *
> * @param certs
> * Certificate chain to validate
> * @return true if the certificate chain is valid, false otherwise
> * @throws WSSecurityException
> */
> public boolean validateCertPath(X509Certificate[] certs)
> throws WSSecurityException {
> try {
> // Generate cert path
> java.util.List certList = java.util.Arrays.asList(certs);
> CertPath path = this.getCertificateFactory().generateCertPath(
> certList);
> // Use the certificates in the keystore as TrustAnchors
> PKIXParameters param = new PKIXParameters(this.keystore);
> // Do not check a revocation list
> param.setRevocationEnabled(false);
> // Verify the trust path using the above settings
> String provider = properties
> .getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
> CertPathValidator certPathValidator;
> if (provider == null || provider.length() == 0) {
> certPathValidator = CertPathValidator.getInstance("PKIX");
> } else {
> certPathValidator = CertPathValidator.getInstance("PKIX",
> provider);
> }
> certPathValidator.validate(path, param);
> } catch (NoSuchProviderException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (NoSuchAlgorithmException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertificateException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (InvalidAlgorithmParameterException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertPathValidatorException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (KeyStoreException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> }
> return true;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-27) Merlin.validateCertPath doesn't work with alternate providers
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-27?page=all ]
Davanum Srinivas resolved WSS-27:
---------------------------------
Resolution: Fixed
Fixed.
-- dims
> Merlin.validateCertPath doesn't work with alternate providers
> -------------------------------------------------------------
>
> Key: WSS-27
> URL: http://issues.apache.org/jira/browse/WSS-27
> Project: WSS4J
> Type: Bug
> Environment: java version "1.4.2_09", Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_09-232), Java HotSpot(TM) Client VM (build 1.4.2-54, mixed mode), Mac OS X 10.4.3
> Reporter: Allen Cronce
> Assignee: Davanum Srinivas
>
> I'm using wss4j 1.1.0 and Axis 1.3 for a service configured to use digital signatures with certificates issued from the same root. Because I have my own keystore in memory, I've derived new objects supporting my keystore from Merlin, WSDoAllReceiver and WSDoAllSender. The keystore is Bouncy Castle Uber. Both the client and server side keystores have the root certificate installed as a trusted certificate entry.
> On the server side I get the following error when verifying the signer's certificate:
> java.security.cert.CertPathValidatorException: signature check failed; internal cause is:
> java.lang.IllegalArgumentException: missing provider
> I've verified in the debugger that the certificate chain provided to Merlin.validateCertPath is valid.
> In looking at the code, I've determined that Merlin.validateCertPath is not calling the provider aware variant of CertPathValidator.getInstance. I overrode validateCertPath in my Merlin derivation, and used the version of CertPathValidator.getInstance that allows me to specify the provider and it now works.
> So the bug is that Merlin.validateCertPath needs to support alternate providers. Here's the fixed version of the method:
> /**
> * Overridden because there's a bug in the base class where they don't use
> * the provider variant for the certificate validator.
> *
> * @param certs
> * Certificate chain to validate
> * @return true if the certificate chain is valid, false otherwise
> * @throws WSSecurityException
> */
> public boolean validateCertPath(X509Certificate[] certs)
> throws WSSecurityException {
> try {
> // Generate cert path
> java.util.List certList = java.util.Arrays.asList(certs);
> CertPath path = this.getCertificateFactory().generateCertPath(
> certList);
> // Use the certificates in the keystore as TrustAnchors
> PKIXParameters param = new PKIXParameters(this.keystore);
> // Do not check a revocation list
> param.setRevocationEnabled(false);
> // Verify the trust path using the above settings
> String provider = properties
> .getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
> CertPathValidator certPathValidator;
> if (provider == null || provider.length() == 0) {
> certPathValidator = CertPathValidator.getInstance("PKIX");
> } else {
> certPathValidator = CertPathValidator.getInstance("PKIX",
> provider);
> }
> certPathValidator.validate(path, param);
> } catch (NoSuchProviderException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (NoSuchAlgorithmException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertificateException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (InvalidAlgorithmParameterException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (CertPathValidatorException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> } catch (KeyStoreException ex) {
> throw new WSSecurityException(WSSecurityException.FAILURE,
> "certpath", new Object[] { ex.getMessage() },
> (Throwable) ex);
> }
> return true;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org