Re: Using a custom CertPathChecker

[Colm O hEigeartaigh <co...@apache.org>]

Hi Stephen,

There is no way to add CertPathCheckers at the moment, beyond subclassing
Merlin and overriding the "verifyTrust" method. I could add a method to
customize the PKIXParameters object though, that could be overridden by a
subclass though which would be better. Or do you have any other suggestions?

Colm.

On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov> wrote:

> I have a requirement to use a custom CertPathChecker in my code. With
> "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any hooks to
> add a custom checker or customize the PKIXParameters that are being used.
> Is there some other means for adding a custom checker to the list that
> isn't so obvious? I could subclass Merlin and sort of brute force it in if
> necessary, but if there's another way to set that up I would much rather do
> that.
>
> Stephen W. Chappell
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Using a custom CertPathChecker

["bertrand.trolard" <be...@erdil.fr>]

Hi,

under Windows, i use "certmgr.msc" to export the whole chain of a 
certificate.

http://windows.microsoft.com/en-US/windows-vista/View-or-manage-your-certificates

Bert

> Thanx, Vishnu. I saw that, and spent most of the morning trying to build a cert chain that way. I started with PEM certs, cat'd them together in the correct order, converted them to PKCS7 with openssl crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool only imported one cert, not the whole chain. Maybe this is a Java issue (I'm using Java 6), but the man page says it should work. It also says that if you import a cert with a private key, that it'll build a cert chain ... when I tried that with a server cert I had, it built a cert chain of length 1 instead of 3. That's when I posted the question.
>
> Stephen W. Chappell
>
> -----Original Message-----
> From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
> Sent: Tuesday, April 07, 2015 10:28 AM
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: Re: Using a custom CertPathChecker
>
>  From the keytool man - it imports certificate chain, if input is given in
> PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.
>
>
> On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
> <St...@faa.gov> wrote:
>
>> Colm -
>>
>> This seems like it should be easier than it is, but can you point me to
>> a resource for properly building a truststore with a certificate chain?
>> I have separate keystores and trust stores for the STS, and the
>> truststore should have a chain something like:
>>
>> Root CA >>> Intermediate CA >>> Issuing CA
>>
>> I had thought that if I added them with keytool in the right order,
>> that keytool would establish a cert chain. Instead it just adds them as
>> individual certificates with no cert chain to be found.
>>
>> Stephen W. Chappell
>>
>> -----Original Message-----
>> From: Chappell, Stephen CTR (FAA)
>> Sent: Tuesday, April 07, 2015 8:21 AM
>> To: coheigea@apache.org
>> Cc: users@cxf.apache.org
>> Subject: RE: Using a custom CertPathChecker
>>
>> Well, that must be the issue. I just ran it through the debugger, and
>> getCertificateChain is returning null each time. I¹ve added code in my
>> subclassed Merlin to be able to walk up the tree, but it¹d be more
>> efficient if the truststore was built properly so I¹ll try to figure
>> that out.
>>
>> Stephen W. Chappell
>>
>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>> Sent: Tuesday, April 07, 2015 8:12 AM
>> To: Chappell, Stephen CTR (FAA)
>> Cc: users@cxf.apache.org
>> Subject: Re: Using a custom CertPathChecker
>>
>> Ok cool. Just bear in mind that WSS4J won't wire up the trust chain
>> using individual certs stored in the truststore, the intermediate cert
>> must have the issuing cert stored as part of the certificate chain entry.
>> Colm.
>>
>> On Tue, Apr 7, 2015 at 1:02 PM,
>> <St...@faa.gov>> wrote:
>> Colm ­
>>
>> That is the case, at least I thought it was. The truststore has certs
>> for the issuer, intermediate, and root CA, plus a few other
>> miscellaneous certs. I¹ll run it through the debugger later this
>> morning and see what turns up.
>>
>> Stephen W. Chappell
>>
>> From: Colm O hEigeartaigh
>> [mailto:coheigea@apache.org<ma...@apache.org>]
>> Sent: Tuesday, April 07, 2015 7:59 AM
>> To: Chappell, Stephen CTR (FAA)
>> Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>> Subject: Re: Using a custom CertPathChecker
>>
>> "getX509Certificates" calls "getCertificates" which (first) calls
>> "getCertificateChain" on the keystore. Your intermediate CA should have
>> the issuing CA certs stored as part of the entry in the
>> keystore/truststore. Is this not the case? Can you debug into
>> getCertificates() and find out why it is only returning a single cert?
>> Colm.
>>
>> On Fri, Apr 3, 2015 at 3:34 PM,
>> <St...@faa.gov>> wrote:
>> Colm -
>>
>> While I was mucking around in Merlin, I noted that in the "second step"
>> section of verifyTrust, only the immediate issuer of the cert to be
>> checked is added to the cert path (at least in my case, when
>> getX509Certificates only returns a single cert rather than a cert chain).
>> I have a requirement to validate all the certs in the cert path, which
>> in my case has an additional intermediate before getting to the trust
>> anchor. I'm able to loop there and get everything into the cert path,
>> which seems to get everything revocation checked so that is good. But I
>> was curious why only the immediate issuer was added to begin with - is
>> there some issue I should be considering that I'm not?
>>
>> There's also an open question (or rather, open disagreement) about
>> revocation checking the Root CA cert, but this list is probably not the
>> right place for that discussion.
>>
>> Stephen W. Chappell
>>
>> -----Original Message-----
>> From: Chappell, Stephen CTR (FAA)
>> Sent: Friday, April 03, 2015 9:56 AM
>> To: users@cxf.apache.org<ma...@cxf.apache.org>;
>> coheigea@apache.org<ma...@apache.org>
>> Subject: RE: Using a custom CertPathChecker
>>
>> Colm -
>>
>> No, I don't have any better suggestions. In fact, subclassing Merlin
>> and adding a method to configure additional PKIX parameters is exactly
>> what I did.
>>
>> Thanx,
>> Stephen W. Chappell
>>
>> -----Original Message-----
>> From: Colm O hEigeartaigh
>> [mailto:coheigea@apache.org<ma...@apache.org>]
>> Sent: Friday, April 03, 2015 9:47 AM
>> To: users@cxf.apache.org<ma...@cxf.apache.org>
>> Subject: Re: Using a custom CertPathChecker
>>
>> Hi Stephen,
>>
>> There is no way to add CertPathCheckers at the moment, beyond
>> subclassing Merlin and overriding the "verifyTrust" method. I could add
>> a method to customize the PKIXParameters object though, that could be
>> overridden by a subclass though which would be better. Or do you have
>> any other suggestions?
>>
>> Colm.
>>
>> On Tue, Mar 24, 2015 at 8:11 PM,
>> <St...@faa.gov>> wrote:
>>
>>> I have a requirement to use a custom CertPathChecker in my code. With
>>> "bare" JVM, I can add the checker to my PKIXParameters and validate
>>> away.
>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
>>> hooks to add a custom checker or customize the PKIXParameters that are
>>> being used.
>>> Is there some other means for adding a custom checker to the list
>>> that  isn't so obvious? I could subclass Merlin and sort of brute
>>> force it  in if necessary, but if there's another way to set that up I
>>> would  much rather do that.
>>>
>>> Stephen W. Chappell
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>

RE: Using a custom CertPathChecker

[St...@faa.gov]

Vishnu, I don't have a private key, that was my point. I'm trying to build a cert chain in a trust store from a root ca, an intermediary, and an issuing ca. 

Stephen W. Chappell


-----Original Message-----
From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com] 
Sent: Tuesday, April 07, 2015 1:46 PM
To: users@cxf.apache.org; coheigea@apache.org
Subject: Re: Using a custom CertPathChecker

As far as I know you can't do private keys with PKCS7 format. Try the
PKCS12 format.


Vishnu

On 2015-04-07, 13:35, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>So here is where I am at ...
>
>* If I cat the certificate pem files together, only one cert ever gets 
>imported no matter the order of cat'ing. Removing the ----- BEGIN and
>---- END tags doesn't help at all
>* If I use openssl crl2pkcs7 to create a pkcs7 file containing all the 
>certs, keytool won't import it (java.lang.Exception: Input not an X.509
>certificate)
>* pkcs12 is not an option because there is no private keys - this is a 
>trust store only
>
>I'm about out of ideas for this, and from what I can see JKS files only 
>really want to have certificate chains when there is a private key 
>involved. I subclassed Merlin to build a trust chain, as I described in 
>the original email, so I guess I will stick with that solution.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Tuesday, April 07, 2015 12:22 PM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: RE: Using a custom CertPathChecker
>
>I thought I needed PKCS7, not PKCS12?
>
>Stephen W. Chappell
>-----Original Message-----
>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>Sent: Tuesday, April 07, 2015 11:01 AM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: Re: Using a custom CertPathChecker
>
>keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many 
>certificates are listed before you import the keystore into JKS format.
>Also check the alias on the certs if they are the same they won't be 
>imported by default mykey is assigned as alias.
>
>Vishnu
>
>
>On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov"
><St...@faa.gov> wrote:
>
>>Thanx, Vishnu. I saw that, and spent most of the morning trying to 
>>build a cert chain that way. I started with PEM certs, cat'd them 
>>together in the correct order, converted them to PKCS7 with openssl 
>>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool 
>>only imported one cert, not the whole chain. Maybe this is a Java 
>>issue (I'm using Java 6), but the man page says it should work. It 
>>also says that if you import a cert with a private key, that it'll 
>>build a cert chain ... when I tried that with a server cert I had, it 
>>built a cert chain of length 1 instead of 3. That's when I posted the question.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>>Sent: Tuesday, April 07, 2015 10:28 AM
>>To: users@cxf.apache.org; coheigea@apache.org
>>Subject: Re: Using a custom CertPathChecker
>>
>>From the keytool man - it imports certificate chain, if input is given 
>>in
>>PKCS#7 format, otherwise only the single certificate is imported. You 
>>should be able to convert certificates to PKCS#7 format with openssl, 
>>via openssl crl2pkcs7 command.
>>
>>
>>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
>><St...@faa.gov> wrote:
>>
>>>Colm -
>>>
>>>This seems like it should be easier than it is, but can you point me 
>>>to a resource for properly building a truststore with a certificate 
>>>chain?
>>>I have separate keystores and trust stores for the STS, and the 
>>>truststore should have a chain something like:
>>>
>>>Root CA >>> Intermediate CA >>> Issuing CA
>>>
>>>I had thought that if I added them with keytool in the right order, 
>>>that keytool would establish a cert chain. Instead it just adds them 
>>>as individual certificates with no cert chain to be found.
>>>
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Chappell, Stephen CTR (FAA)
>>>Sent: Tuesday, April 07, 2015 8:21 AM
>>>To: coheigea@apache.org
>>>Cc: users@cxf.apache.org
>>>Subject: RE: Using a custom CertPathChecker
>>>
>>>Well, that must be the issue. I just ran it through the debugger, and 
>>>getCertificateChain is returning null each time. I¹ve added code in 
>>>my subclassed Merlin to be able to walk up the tree, but it¹d be more 
>>>efficient if the truststore was built properly so I¹ll try to figure 
>>>that out.
>>>
>>>Stephen W. Chappell
>>>
>>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>>Sent: Tuesday, April 07, 2015 8:12 AM
>>>To: Chappell, Stephen CTR (FAA)
>>>Cc: users@cxf.apache.org
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain 
>>>using individual certs stored in the truststore, the intermediate 
>>>cert must have the issuing cert stored as part of the certificate 
>>>chain entry.
>>>Colm.
>>>
>>>On Tue, Apr 7, 2015 at 1:02 PM,
>>><St...@faa.gov>>
>>>wrote:
>>>Colm ­
>>>
>>>That is the case, at least I thought it was. The truststore has certs 
>>>for the issuer, intermediate, and root CA, plus a few other 
>>>miscellaneous certs. I¹ll run it through the debugger later this 
>>>morning and see what turns up.
>>>
>>>Stephen W. Chappell
>>>
>>>From: Colm O hEigeartaigh
>>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>>Sent: Tuesday, April 07, 2015 7:59 AM
>>>To: Chappell, Stephen CTR (FAA)
>>>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>"getX509Certificates" calls "getCertificates" which (first) calls 
>>>"getCertificateChain" on the keystore. Your intermediate CA should 
>>>have the issuing CA certs stored as part of the entry in the 
>>>keystore/truststore. Is this not the case? Can you debug into
>>>getCertificates() and find out why it is only returning a single cert?
>>>Colm.
>>>
>>>On Fri, Apr 3, 2015 at 3:34 PM,
>>><St...@faa.gov>>
>>>wrote:
>>>Colm -
>>>
>>>While I was mucking around in Merlin, I noted that in the "second step"
>>>section of verifyTrust, only the immediate issuer of the cert to be 
>>>checked is added to the cert path (at least in my case, when 
>>>getX509Certificates only returns a single cert rather than a cert 
>>>chain).
>>>I have a requirement to validate all the certs in the cert path, 
>>>which in my case has an additional intermediate before getting to the 
>>>trust anchor. I'm able to loop there and get everything into the cert 
>>>path, which seems to get everything revocation checked so that is 
>>>good. But I was curious why only the immediate issuer was added to 
>>>begin with - is there some issue I should be considering that I'm not?
>>>
>>>There's also an open question (or rather, open disagreement) about 
>>>revocation checking the Root CA cert, but this list is probably not 
>>>the right place for that discussion.
>>>
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Chappell, Stephen CTR (FAA)
>>>Sent: Friday, April 03, 2015 9:56 AM
>>>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>>>coheigea@apache.org<ma...@apache.org>
>>>Subject: RE: Using a custom CertPathChecker
>>>
>>>Colm -
>>>
>>>No, I don't have any better suggestions. In fact, subclassing Merlin 
>>>and adding a method to configure additional PKIX parameters is 
>>>exactly what I did.
>>>
>>>Thanx,
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Colm O hEigeartaigh
>>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>>Sent: Friday, April 03, 2015 9:47 AM
>>>To: users@cxf.apache.org<ma...@cxf.apache.org>
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>Hi Stephen,
>>>
>>>There is no way to add CertPathCheckers at the moment, beyond 
>>>subclassing Merlin and overriding the "verifyTrust" method. I could 
>>>add a method to customize the PKIXParameters object though, that 
>>>could be overridden by a subclass though which would be better. Or do 
>>>you have any other suggestions?
>>>
>>>Colm.
>>>
>>>On Tue, Mar 24, 2015 at 8:11 PM,
>>><St...@faa.gov>>
>>>wrote:
>>>
>>>> I have a requirement to use a custom CertPathChecker in my code.
>>>>With "bare" JVM, I can add the checker to my PKIXParameters and 
>>>>validate away.
>>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any 
>>>>hooks to add a custom checker or customize the PKIXParameters that 
>>>>are being used.
>>>> Is there some other means for adding a custom checker to the list 
>>>>that  isn't so obvious? I could subclass Merlin and sort of brute 
>>>>force it  in if necessary, but if there's another way to set that up 
>>>>I would  much rather do that.
>>>>
>>>> Stephen W. Chappell
>>>>
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>
>>
>
>

Re: Using a custom CertPathChecker

[Vishnu Radhakrishnan <vi...@10point1.com>]

As far as I know you can’t do private keys with PKCS7 format. Try the
PKCS12 format.


Vishnu

On 2015-04-07, 13:35, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>So here is where I am at ...
>
>* If I cat the certificate pem files together, only one cert ever gets
>imported no matter the order of cat'ing. Removing the ----- BEGIN and
>---- END tags doesn't help at all
>* If I use openssl crl2pkcs7 to create a pkcs7 file containing all the
>certs, keytool won't import it (java.lang.Exception: Input not an X.509
>certificate)
>* pkcs12 is not an option because there is no private keys - this is a
>trust store only
>
>I'm about out of ideas for this, and from what I can see JKS files only
>really want to have certificate chains when there is a private key
>involved. I subclassed Merlin to build a trust chain, as I described in
>the original email, so I guess I will stick with that solution.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Tuesday, April 07, 2015 12:22 PM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: RE: Using a custom CertPathChecker
>
>I thought I needed PKCS7, not PKCS12?
>
>Stephen W. Chappell
>-----Original Message-----
>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>Sent: Tuesday, April 07, 2015 11:01 AM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: Re: Using a custom CertPathChecker
>
>keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many
>certificates are listed before you import the keystore into JKS format.
>Also check the alias on the certs if they are the same they won't be
>imported by default mykey is assigned as alias.
>
>Vishnu
>
>
>On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov"
><St...@faa.gov> wrote:
>
>>Thanx, Vishnu. I saw that, and spent most of the morning trying to
>>build a cert chain that way. I started with PEM certs, cat'd them
>>together in the correct order, converted them to PKCS7 with openssl
>>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool
>>only imported one cert, not the whole chain. Maybe this is a Java issue
>>(I'm using Java 6), but the man page says it should work. It also says
>>that if you import a cert with a private key, that it'll build a cert
>>chain ... when I tried that with a server cert I had, it built a cert
>>chain of length 1 instead of 3. That's when I posted the question.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>>Sent: Tuesday, April 07, 2015 10:28 AM
>>To: users@cxf.apache.org; coheigea@apache.org
>>Subject: Re: Using a custom CertPathChecker
>>
>>From the keytool man - it imports certificate chain, if input is given
>>in
>>PKCS#7 format, otherwise only the single certificate is imported. You
>>should be able to convert certificates to PKCS#7 format with openssl,
>>via openssl crl2pkcs7 command.
>>
>>
>>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
>><St...@faa.gov> wrote:
>>
>>>Colm -
>>>
>>>This seems like it should be easier than it is, but can you point me
>>>to a resource for properly building a truststore with a certificate
>>>chain?
>>>I have separate keystores and trust stores for the STS, and the
>>>truststore should have a chain something like:
>>>
>>>Root CA >>> Intermediate CA >>> Issuing CA
>>>
>>>I had thought that if I added them with keytool in the right order,
>>>that keytool would establish a cert chain. Instead it just adds them
>>>as individual certificates with no cert chain to be found.
>>>
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Chappell, Stephen CTR (FAA)
>>>Sent: Tuesday, April 07, 2015 8:21 AM
>>>To: coheigea@apache.org
>>>Cc: users@cxf.apache.org
>>>Subject: RE: Using a custom CertPathChecker
>>>
>>>Well, that must be the issue. I just ran it through the debugger, and
>>>getCertificateChain is returning null each time. I¹ve added code in my
>>>subclassed Merlin to be able to walk up the tree, but it¹d be more
>>>efficient if the truststore was built properly so I¹ll try to figure
>>>that out.
>>>
>>>Stephen W. Chappell
>>>
>>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>>Sent: Tuesday, April 07, 2015 8:12 AM
>>>To: Chappell, Stephen CTR (FAA)
>>>Cc: users@cxf.apache.org
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain
>>>using individual certs stored in the truststore, the intermediate cert
>>>must have the issuing cert stored as part of the certificate chain
>>>entry.
>>>Colm.
>>>
>>>On Tue, Apr 7, 2015 at 1:02 PM,
>>><St...@faa.gov>>
>>>wrote:
>>>Colm ­
>>>
>>>That is the case, at least I thought it was. The truststore has certs
>>>for the issuer, intermediate, and root CA, plus a few other
>>>miscellaneous certs. I¹ll run it through the debugger later this
>>>morning and see what turns up.
>>>
>>>Stephen W. Chappell
>>>
>>>From: Colm O hEigeartaigh
>>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>>Sent: Tuesday, April 07, 2015 7:59 AM
>>>To: Chappell, Stephen CTR (FAA)
>>>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>"getX509Certificates" calls "getCertificates" which (first) calls
>>>"getCertificateChain" on the keystore. Your intermediate CA should
>>>have the issuing CA certs stored as part of the entry in the
>>>keystore/truststore. Is this not the case? Can you debug into
>>>getCertificates() and find out why it is only returning a single cert?
>>>Colm.
>>>
>>>On Fri, Apr 3, 2015 at 3:34 PM,
>>><St...@faa.gov>>
>>>wrote:
>>>Colm -
>>>
>>>While I was mucking around in Merlin, I noted that in the "second step"
>>>section of verifyTrust, only the immediate issuer of the cert to be
>>>checked is added to the cert path (at least in my case, when
>>>getX509Certificates only returns a single cert rather than a cert
>>>chain).
>>>I have a requirement to validate all the certs in the cert path, which
>>>in my case has an additional intermediate before getting to the trust
>>>anchor. I'm able to loop there and get everything into the cert path,
>>>which seems to get everything revocation checked so that is good. But
>>>I was curious why only the immediate issuer was added to begin with -
>>>is there some issue I should be considering that I'm not?
>>>
>>>There's also an open question (or rather, open disagreement) about
>>>revocation checking the Root CA cert, but this list is probably not
>>>the right place for that discussion.
>>>
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Chappell, Stephen CTR (FAA)
>>>Sent: Friday, April 03, 2015 9:56 AM
>>>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>>>coheigea@apache.org<ma...@apache.org>
>>>Subject: RE: Using a custom CertPathChecker
>>>
>>>Colm -
>>>
>>>No, I don't have any better suggestions. In fact, subclassing Merlin
>>>and adding a method to configure additional PKIX parameters is exactly
>>>what I did.
>>>
>>>Thanx,
>>>Stephen W. Chappell
>>>
>>>-----Original Message-----
>>>From: Colm O hEigeartaigh
>>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>>Sent: Friday, April 03, 2015 9:47 AM
>>>To: users@cxf.apache.org<ma...@cxf.apache.org>
>>>Subject: Re: Using a custom CertPathChecker
>>>
>>>Hi Stephen,
>>>
>>>There is no way to add CertPathCheckers at the moment, beyond
>>>subclassing Merlin and overriding the "verifyTrust" method. I could
>>>add a method to customize the PKIXParameters object though, that could
>>>be overridden by a subclass though which would be better. Or do you
>>>have any other suggestions?
>>>
>>>Colm.
>>>
>>>On Tue, Mar 24, 2015 at 8:11 PM,
>>><St...@faa.gov>>
>>>wrote:
>>>
>>>> I have a requirement to use a custom CertPathChecker in my code.
>>>>With "bare" JVM, I can add the checker to my PKIXParameters and
>>>>validate away.
>>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
>>>>hooks to add a custom checker or customize the PKIXParameters that
>>>>are being used.
>>>> Is there some other means for adding a custom checker to the list
>>>>that  isn't so obvious? I could subclass Merlin and sort of brute
>>>>force it  in if necessary, but if there's another way to set that up
>>>>I would  much rather do that.
>>>>
>>>> Stephen W. Chappell
>>>>
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>>
>>>
>>>
>>>--
>>>Colm O hEigeartaigh
>>>
>>>Talend Community Coder
>>>http://coders.talend.com
>>
>>
>
>

RE: Using a custom CertPathChecker

[St...@faa.gov]

So here is where I am at ...

* If I cat the certificate pem files together, only one cert ever gets imported no matter the order of cat'ing. Removing the ----- BEGIN and ---- END tags doesn't help at all
* If I use openssl crl2pkcs7 to create a pkcs7 file containing all the certs, keytool won't import it (java.lang.Exception: Input not an X.509 certificate)
* pkcs12 is not an option because there is no private keys - this is a trust store only

I'm about out of ideas for this, and from what I can see JKS files only really want to have certificate chains when there is a private key involved. I subclassed Merlin to build a trust chain, as I described in the original email, so I guess I will stick with that solution.

Stephen W. Chappell

-----Original Message-----
From: Chappell, Stephen CTR (FAA) 
Sent: Tuesday, April 07, 2015 12:22 PM
To: users@cxf.apache.org; coheigea@apache.org
Subject: RE: Using a custom CertPathChecker

I thought I needed PKCS7, not PKCS12?

Stephen W. Chappell
-----Original Message-----
From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
Sent: Tuesday, April 07, 2015 11:01 AM
To: users@cxf.apache.org; coheigea@apache.org
Subject: Re: Using a custom CertPathChecker

keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many certificates are listed before you import the keystore into JKS format.
Also check the alias on the certs if they are the same they won't be imported by default mykey is assigned as alias.

Vishnu


On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>Thanx, Vishnu. I saw that, and spent most of the morning trying to 
>build a cert chain that way. I started with PEM certs, cat'd them 
>together in the correct order, converted them to PKCS7 with openssl 
>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool 
>only imported one cert, not the whole chain. Maybe this is a Java issue 
>(I'm using Java 6), but the man page says it should work. It also says 
>that if you import a cert with a private key, that it'll build a cert 
>chain ... when I tried that with a server cert I had, it built a cert 
>chain of length 1 instead of 3. That's when I posted the question.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>Sent: Tuesday, April 07, 2015 10:28 AM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: Re: Using a custom CertPathChecker
>
>From the keytool man - it imports certificate chain, if input is given 
>in
>PKCS#7 format, otherwise only the single certificate is imported. You 
>should be able to convert certificates to PKCS#7 format with openssl, 
>via openssl crl2pkcs7 command.
>
>
>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
><St...@faa.gov> wrote:
>
>>Colm -
>>
>>This seems like it should be easier than it is, but can you point me 
>>to a resource for properly building a truststore with a certificate chain?
>>I have separate keystores and trust stores for the STS, and the 
>>truststore should have a chain something like:
>>
>>Root CA >>> Intermediate CA >>> Issuing CA
>>
>>I had thought that if I added them with keytool in the right order, 
>>that keytool would establish a cert chain. Instead it just adds them 
>>as individual certificates with no cert chain to be found.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Chappell, Stephen CTR (FAA)
>>Sent: Tuesday, April 07, 2015 8:21 AM
>>To: coheigea@apache.org
>>Cc: users@cxf.apache.org
>>Subject: RE: Using a custom CertPathChecker
>>
>>Well, that must be the issue. I just ran it through the debugger, and 
>>getCertificateChain is returning null each time. I¹ve added code in my 
>>subclassed Merlin to be able to walk up the tree, but it¹d be more 
>>efficient if the truststore was built properly so I¹ll try to figure 
>>that out.
>>
>>Stephen W. Chappell
>>
>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>Sent: Tuesday, April 07, 2015 8:12 AM
>>To: Chappell, Stephen CTR (FAA)
>>Cc: users@cxf.apache.org
>>Subject: Re: Using a custom CertPathChecker
>>
>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain 
>>using individual certs stored in the truststore, the intermediate cert 
>>must have the issuing cert stored as part of the certificate chain entry.
>>Colm.
>>
>>On Tue, Apr 7, 2015 at 1:02 PM,
>><St...@faa.gov>>
>>wrote:
>>Colm ­
>>
>>That is the case, at least I thought it was. The truststore has certs 
>>for the issuer, intermediate, and root CA, plus a few other 
>>miscellaneous certs. I¹ll run it through the debugger later this 
>>morning and see what turns up.
>>
>>Stephen W. Chappell
>>
>>From: Colm O hEigeartaigh
>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>Sent: Tuesday, April 07, 2015 7:59 AM
>>To: Chappell, Stephen CTR (FAA)
>>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>Subject: Re: Using a custom CertPathChecker
>>
>>"getX509Certificates" calls "getCertificates" which (first) calls 
>>"getCertificateChain" on the keystore. Your intermediate CA should 
>>have the issuing CA certs stored as part of the entry in the 
>>keystore/truststore. Is this not the case? Can you debug into
>>getCertificates() and find out why it is only returning a single cert?
>>Colm.
>>
>>On Fri, Apr 3, 2015 at 3:34 PM,
>><St...@faa.gov>>
>>wrote:
>>Colm -
>>
>>While I was mucking around in Merlin, I noted that in the "second step"
>>section of verifyTrust, only the immediate issuer of the cert to be 
>>checked is added to the cert path (at least in my case, when 
>>getX509Certificates only returns a single cert rather than a cert chain).
>>I have a requirement to validate all the certs in the cert path, which 
>>in my case has an additional intermediate before getting to the trust 
>>anchor. I'm able to loop there and get everything into the cert path, 
>>which seems to get everything revocation checked so that is good. But 
>>I was curious why only the immediate issuer was added to begin with - 
>>is there some issue I should be considering that I'm not?
>>
>>There's also an open question (or rather, open disagreement) about 
>>revocation checking the Root CA cert, but this list is probably not 
>>the right place for that discussion.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Chappell, Stephen CTR (FAA)
>>Sent: Friday, April 03, 2015 9:56 AM
>>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>>coheigea@apache.org<ma...@apache.org>
>>Subject: RE: Using a custom CertPathChecker
>>
>>Colm -
>>
>>No, I don't have any better suggestions. In fact, subclassing Merlin 
>>and adding a method to configure additional PKIX parameters is exactly 
>>what I did.
>>
>>Thanx,
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Colm O hEigeartaigh
>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>Sent: Friday, April 03, 2015 9:47 AM
>>To: users@cxf.apache.org<ma...@cxf.apache.org>
>>Subject: Re: Using a custom CertPathChecker
>>
>>Hi Stephen,
>>
>>There is no way to add CertPathCheckers at the moment, beyond 
>>subclassing Merlin and overriding the "verifyTrust" method. I could 
>>add a method to customize the PKIXParameters object though, that could 
>>be overridden by a subclass though which would be better. Or do you 
>>have any other suggestions?
>>
>>Colm.
>>
>>On Tue, Mar 24, 2015 at 8:11 PM,
>><St...@faa.gov>>
>>wrote:
>>
>>> I have a requirement to use a custom CertPathChecker in my code. 
>>>With "bare" JVM, I can add the checker to my PKIXParameters and 
>>>validate away.
>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any 
>>>hooks to add a custom checker or customize the PKIXParameters that 
>>>are being used.
>>> Is there some other means for adding a custom checker to the list 
>>>that  isn't so obvious? I could subclass Merlin and sort of brute 
>>>force it  in if necessary, but if there's another way to set that up 
>>>I would  much rather do that.
>>>
>>> Stephen W. Chappell
>>>
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>
>

RE: Using a custom CertPathChecker

[St...@faa.gov]

I thought I needed PKCS7, not PKCS12?

Stephen W. Chappell
-----Original Message-----
From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com] 
Sent: Tuesday, April 07, 2015 11:01 AM
To: users@cxf.apache.org; coheigea@apache.org
Subject: Re: Using a custom CertPathChecker

keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many certificates are listed before you import the keystore into JKS format.
Also check the alias on the certs if they are the same they won't be imported by default mykey is assigned as alias.

Vishnu


On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>Thanx, Vishnu. I saw that, and spent most of the morning trying to 
>build a cert chain that way. I started with PEM certs, cat'd them 
>together in the correct order, converted them to PKCS7 with openssl 
>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool 
>only imported one cert, not the whole chain. Maybe this is a Java issue 
>(I'm using Java 6), but the man page says it should work. It also says 
>that if you import a cert with a private key, that it'll build a cert 
>chain ... when I tried that with a server cert I had, it built a cert 
>chain of length 1 instead of 3. That's when I posted the question.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>Sent: Tuesday, April 07, 2015 10:28 AM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: Re: Using a custom CertPathChecker
>
>From the keytool man - it imports certificate chain, if input is given 
>in
>PKCS#7 format, otherwise only the single certificate is imported. You 
>should be able to convert certificates to PKCS#7 format with openssl, 
>via openssl crl2pkcs7 command.
>
>
>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
><St...@faa.gov> wrote:
>
>>Colm -
>>
>>This seems like it should be easier than it is, but can you point me 
>>to a resource for properly building a truststore with a certificate chain?
>>I have separate keystores and trust stores for the STS, and the 
>>truststore should have a chain something like:
>>
>>Root CA >>> Intermediate CA >>> Issuing CA
>>
>>I had thought that if I added them with keytool in the right order, 
>>that keytool would establish a cert chain. Instead it just adds them 
>>as individual certificates with no cert chain to be found.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Chappell, Stephen CTR (FAA)
>>Sent: Tuesday, April 07, 2015 8:21 AM
>>To: coheigea@apache.org
>>Cc: users@cxf.apache.org
>>Subject: RE: Using a custom CertPathChecker
>>
>>Well, that must be the issue. I just ran it through the debugger, and 
>>getCertificateChain is returning null each time. I¹ve added code in my 
>>subclassed Merlin to be able to walk up the tree, but it¹d be more 
>>efficient if the truststore was built properly so I¹ll try to figure 
>>that out.
>>
>>Stephen W. Chappell
>>
>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>Sent: Tuesday, April 07, 2015 8:12 AM
>>To: Chappell, Stephen CTR (FAA)
>>Cc: users@cxf.apache.org
>>Subject: Re: Using a custom CertPathChecker
>>
>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain 
>>using individual certs stored in the truststore, the intermediate cert 
>>must have the issuing cert stored as part of the certificate chain entry.
>>Colm.
>>
>>On Tue, Apr 7, 2015 at 1:02 PM,
>><St...@faa.gov>>
>>wrote:
>>Colm ­
>>
>>That is the case, at least I thought it was. The truststore has certs 
>>for the issuer, intermediate, and root CA, plus a few other 
>>miscellaneous certs. I¹ll run it through the debugger later this 
>>morning and see what turns up.
>>
>>Stephen W. Chappell
>>
>>From: Colm O hEigeartaigh
>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>Sent: Tuesday, April 07, 2015 7:59 AM
>>To: Chappell, Stephen CTR (FAA)
>>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>Subject: Re: Using a custom CertPathChecker
>>
>>"getX509Certificates" calls "getCertificates" which (first) calls 
>>"getCertificateChain" on the keystore. Your intermediate CA should 
>>have the issuing CA certs stored as part of the entry in the 
>>keystore/truststore. Is this not the case? Can you debug into
>>getCertificates() and find out why it is only returning a single cert?
>>Colm.
>>
>>On Fri, Apr 3, 2015 at 3:34 PM,
>><St...@faa.gov>>
>>wrote:
>>Colm -
>>
>>While I was mucking around in Merlin, I noted that in the "second step"
>>section of verifyTrust, only the immediate issuer of the cert to be 
>>checked is added to the cert path (at least in my case, when 
>>getX509Certificates only returns a single cert rather than a cert chain).
>>I have a requirement to validate all the certs in the cert path, which 
>>in my case has an additional intermediate before getting to the trust 
>>anchor. I'm able to loop there and get everything into the cert path, 
>>which seems to get everything revocation checked so that is good. But 
>>I was curious why only the immediate issuer was added to begin with - 
>>is there some issue I should be considering that I'm not?
>>
>>There's also an open question (or rather, open disagreement) about 
>>revocation checking the Root CA cert, but this list is probably not 
>>the right place for that discussion.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Chappell, Stephen CTR (FAA)
>>Sent: Friday, April 03, 2015 9:56 AM
>>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>>coheigea@apache.org<ma...@apache.org>
>>Subject: RE: Using a custom CertPathChecker
>>
>>Colm -
>>
>>No, I don't have any better suggestions. In fact, subclassing Merlin 
>>and adding a method to configure additional PKIX parameters is exactly 
>>what I did.
>>
>>Thanx,
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Colm O hEigeartaigh
>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>Sent: Friday, April 03, 2015 9:47 AM
>>To: users@cxf.apache.org<ma...@cxf.apache.org>
>>Subject: Re: Using a custom CertPathChecker
>>
>>Hi Stephen,
>>
>>There is no way to add CertPathCheckers at the moment, beyond 
>>subclassing Merlin and overriding the "verifyTrust" method. I could 
>>add a method to customize the PKIXParameters object though, that could 
>>be overridden by a subclass though which would be better. Or do you 
>>have any other suggestions?
>>
>>Colm.
>>
>>On Tue, Mar 24, 2015 at 8:11 PM,
>><St...@faa.gov>>
>>wrote:
>>
>>> I have a requirement to use a custom CertPathChecker in my code. 
>>>With "bare" JVM, I can add the checker to my PKIXParameters and 
>>>validate away.
>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any 
>>>hooks to add a custom checker or customize the PKIXParameters that 
>>>are being used.
>>> Is there some other means for adding a custom checker to the list 
>>>that  isn't so obvious? I could subclass Merlin and sort of brute 
>>>force it  in if necessary, but if there's another way to set that up 
>>>I would  much rather do that.
>>>
>>> Stephen W. Chappell
>>>
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>
>

Re: Using a custom CertPathChecker

[Vishnu Radhakrishnan <vi...@10point1.com>]

keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many
certificates are listed before you import the keystore into JKS format.
Also check the alias on the certs if they are the same they won’t be
imported by default mykey is assigned as alias.

Vishnu


On 2015-04-07, 10:42, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>Thanx, Vishnu. I saw that, and spent most of the morning trying to build
>a cert chain that way. I started with PEM certs, cat'd them together in
>the correct order, converted them to PKCS7 with openssl crl2pkcs7, and
>imported the pkcs7 with keytool. In every case, keytool only imported one
>cert, not the whole chain. Maybe this is a Java issue (I'm using Java 6),
>but the man page says it should work. It also says that if you import a
>cert with a private key, that it'll build a cert chain ... when I tried
>that with a server cert I had, it built a cert chain of length 1 instead
>of 3. That's when I posted the question.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com]
>Sent: Tuesday, April 07, 2015 10:28 AM
>To: users@cxf.apache.org; coheigea@apache.org
>Subject: Re: Using a custom CertPathChecker
>
>From the keytool man - it imports certificate chain, if input is given in
>PKCS#7 format, otherwise only the single certificate is imported. You
>should be able to convert certificates to PKCS#7 format with openssl, via
>openssl crl2pkcs7 command.
>
>
>On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
><St...@faa.gov> wrote:
>
>>Colm -
>>
>>This seems like it should be easier than it is, but can you point me to
>>a resource for properly building a truststore with a certificate chain?
>>I have separate keystores and trust stores for the STS, and the
>>truststore should have a chain something like:
>>
>>Root CA >>> Intermediate CA >>> Issuing CA
>>
>>I had thought that if I added them with keytool in the right order,
>>that keytool would establish a cert chain. Instead it just adds them as
>>individual certificates with no cert chain to be found.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Chappell, Stephen CTR (FAA)
>>Sent: Tuesday, April 07, 2015 8:21 AM
>>To: coheigea@apache.org
>>Cc: users@cxf.apache.org
>>Subject: RE: Using a custom CertPathChecker
>>
>>Well, that must be the issue. I just ran it through the debugger, and
>>getCertificateChain is returning null each time. I¹ve added code in my
>>subclassed Merlin to be able to walk up the tree, but it¹d be more
>>efficient if the truststore was built properly so I¹ll try to figure
>>that out.
>>
>>Stephen W. Chappell
>>
>>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>>Sent: Tuesday, April 07, 2015 8:12 AM
>>To: Chappell, Stephen CTR (FAA)
>>Cc: users@cxf.apache.org
>>Subject: Re: Using a custom CertPathChecker
>>
>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain
>>using individual certs stored in the truststore, the intermediate cert
>>must have the issuing cert stored as part of the certificate chain entry.
>>Colm.
>>
>>On Tue, Apr 7, 2015 at 1:02 PM,
>><St...@faa.gov>>
>>wrote:
>>Colm ­
>>
>>That is the case, at least I thought it was. The truststore has certs
>>for the issuer, intermediate, and root CA, plus a few other
>>miscellaneous certs. I¹ll run it through the debugger later this
>>morning and see what turns up.
>>
>>Stephen W. Chappell
>>
>>From: Colm O hEigeartaigh
>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>Sent: Tuesday, April 07, 2015 7:59 AM
>>To: Chappell, Stephen CTR (FAA)
>>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>>Subject: Re: Using a custom CertPathChecker
>>
>>"getX509Certificates" calls "getCertificates" which (first) calls
>>"getCertificateChain" on the keystore. Your intermediate CA should have
>>the issuing CA certs stored as part of the entry in the
>>keystore/truststore. Is this not the case? Can you debug into
>>getCertificates() and find out why it is only returning a single cert?
>>Colm.
>>
>>On Fri, Apr 3, 2015 at 3:34 PM,
>><St...@faa.gov>>
>>wrote:
>>Colm -
>>
>>While I was mucking around in Merlin, I noted that in the "second step"
>>section of verifyTrust, only the immediate issuer of the cert to be
>>checked is added to the cert path (at least in my case, when
>>getX509Certificates only returns a single cert rather than a cert chain).
>>I have a requirement to validate all the certs in the cert path, which
>>in my case has an additional intermediate before getting to the trust
>>anchor. I'm able to loop there and get everything into the cert path,
>>which seems to get everything revocation checked so that is good. But I
>>was curious why only the immediate issuer was added to begin with - is
>>there some issue I should be considering that I'm not?
>>
>>There's also an open question (or rather, open disagreement) about
>>revocation checking the Root CA cert, but this list is probably not the
>>right place for that discussion.
>>
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Chappell, Stephen CTR (FAA)
>>Sent: Friday, April 03, 2015 9:56 AM
>>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>>coheigea@apache.org<ma...@apache.org>
>>Subject: RE: Using a custom CertPathChecker
>>
>>Colm -
>>
>>No, I don't have any better suggestions. In fact, subclassing Merlin
>>and adding a method to configure additional PKIX parameters is exactly
>>what I did.
>>
>>Thanx,
>>Stephen W. Chappell
>>
>>-----Original Message-----
>>From: Colm O hEigeartaigh
>>[mailto:coheigea@apache.org<ma...@apache.org>]
>>Sent: Friday, April 03, 2015 9:47 AM
>>To: users@cxf.apache.org<ma...@cxf.apache.org>
>>Subject: Re: Using a custom CertPathChecker
>>
>>Hi Stephen,
>>
>>There is no way to add CertPathCheckers at the moment, beyond
>>subclassing Merlin and overriding the "verifyTrust" method. I could add
>>a method to customize the PKIXParameters object though, that could be
>>overridden by a subclass though which would be better. Or do you have
>>any other suggestions?
>>
>>Colm.
>>
>>On Tue, Mar 24, 2015 at 8:11 PM,
>><St...@faa.gov>>
>>wrote:
>>
>>> I have a requirement to use a custom CertPathChecker in my code. With
>>>"bare" JVM, I can add the checker to my PKIXParameters and validate
>>>away.
>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
>>>hooks to add a custom checker or customize the PKIXParameters that are
>>>being used.
>>> Is there some other means for adding a custom checker to the list
>>>that  isn't so obvious? I could subclass Merlin and sort of brute
>>>force it  in if necessary, but if there's another way to set that up I
>>>would  much rather do that.
>>>
>>> Stephen W. Chappell
>>>
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>>
>>
>>
>>--
>>Colm O hEigeartaigh
>>
>>Talend Community Coder
>>http://coders.talend.com
>
>

RE: Using a custom CertPathChecker

[St...@faa.gov]

Thanx, Vishnu. I saw that, and spent most of the morning trying to build a cert chain that way. I started with PEM certs, cat'd them together in the correct order, converted them to PKCS7 with openssl crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool only imported one cert, not the whole chain. Maybe this is a Java issue (I'm using Java 6), but the man page says it should work. It also says that if you import a cert with a private key, that it'll build a cert chain ... when I tried that with a server cert I had, it built a cert chain of length 1 instead of 3. That's when I posted the question. 

Stephen W. Chappell

-----Original Message-----
From: Vishnu Radhakrishnan [mailto:vishnu@10point1.com] 
Sent: Tuesday, April 07, 2015 10:28 AM
To: users@cxf.apache.org; coheigea@apache.org
Subject: Re: Using a custom CertPathChecker

>From the keytool man - it imports certificate chain, if input is given in
PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.


On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>Colm -
>
>This seems like it should be easier than it is, but can you point me to 
>a resource for properly building a truststore with a certificate chain? 
>I have separate keystores and trust stores for the STS, and the 
>truststore should have a chain something like:
>
>Root CA >>> Intermediate CA >>> Issuing CA
>
>I had thought that if I added them with keytool in the right order, 
>that keytool would establish a cert chain. Instead it just adds them as 
>individual certificates with no cert chain to be found.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Tuesday, April 07, 2015 8:21 AM
>To: coheigea@apache.org
>Cc: users@cxf.apache.org
>Subject: RE: Using a custom CertPathChecker
>
>Well, that must be the issue. I just ran it through the debugger, and 
>getCertificateChain is returning null each time. I¹ve added code in my 
>subclassed Merlin to be able to walk up the tree, but it¹d be more 
>efficient if the truststore was built properly so I¹ll try to figure 
>that out.
>
>Stephen W. Chappell
>
>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>Sent: Tuesday, April 07, 2015 8:12 AM
>To: Chappell, Stephen CTR (FAA)
>Cc: users@cxf.apache.org
>Subject: Re: Using a custom CertPathChecker
>
>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain 
>using individual certs stored in the truststore, the intermediate cert 
>must have the issuing cert stored as part of the certificate chain entry.
>Colm.
>
>On Tue, Apr 7, 2015 at 1:02 PM,
><St...@faa.gov>> wrote:
>Colm ­
>
>That is the case, at least I thought it was. The truststore has certs 
>for the issuer, intermediate, and root CA, plus a few other 
>miscellaneous certs. I¹ll run it through the debugger later this 
>morning and see what turns up.
>
>Stephen W. Chappell
>
>From: Colm O hEigeartaigh
>[mailto:coheigea@apache.org<ma...@apache.org>]
>Sent: Tuesday, April 07, 2015 7:59 AM
>To: Chappell, Stephen CTR (FAA)
>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>Subject: Re: Using a custom CertPathChecker
>
>"getX509Certificates" calls "getCertificates" which (first) calls 
>"getCertificateChain" on the keystore. Your intermediate CA should have 
>the issuing CA certs stored as part of the entry in the 
>keystore/truststore. Is this not the case? Can you debug into
>getCertificates() and find out why it is only returning a single cert?
>Colm.
>
>On Fri, Apr 3, 2015 at 3:34 PM,
><St...@faa.gov>> wrote:
>Colm -
>
>While I was mucking around in Merlin, I noted that in the "second step"
>section of verifyTrust, only the immediate issuer of the cert to be 
>checked is added to the cert path (at least in my case, when 
>getX509Certificates only returns a single cert rather than a cert chain).
>I have a requirement to validate all the certs in the cert path, which 
>in my case has an additional intermediate before getting to the trust 
>anchor. I'm able to loop there and get everything into the cert path, 
>which seems to get everything revocation checked so that is good. But I 
>was curious why only the immediate issuer was added to begin with - is 
>there some issue I should be considering that I'm not?
>
>There's also an open question (or rather, open disagreement) about 
>revocation checking the Root CA cert, but this list is probably not the 
>right place for that discussion.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Friday, April 03, 2015 9:56 AM
>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>coheigea@apache.org<ma...@apache.org>
>Subject: RE: Using a custom CertPathChecker
>
>Colm -
>
>No, I don't have any better suggestions. In fact, subclassing Merlin 
>and adding a method to configure additional PKIX parameters is exactly 
>what I did.
>
>Thanx,
>Stephen W. Chappell
>
>-----Original Message-----
>From: Colm O hEigeartaigh
>[mailto:coheigea@apache.org<ma...@apache.org>]
>Sent: Friday, April 03, 2015 9:47 AM
>To: users@cxf.apache.org<ma...@cxf.apache.org>
>Subject: Re: Using a custom CertPathChecker
>
>Hi Stephen,
>
>There is no way to add CertPathCheckers at the moment, beyond 
>subclassing Merlin and overriding the "verifyTrust" method. I could add 
>a method to customize the PKIXParameters object though, that could be 
>overridden by a subclass though which would be better. Or do you have 
>any other suggestions?
>
>Colm.
>
>On Tue, Mar 24, 2015 at 8:11 PM,
><St...@faa.gov>> wrote:
>
>> I have a requirement to use a custom CertPathChecker in my code. With  
>>"bare" JVM, I can add the checker to my PKIXParameters and validate 
>>away.
>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any  
>>hooks to add a custom checker or customize the PKIXParameters that are 
>>being used.
>> Is there some other means for adding a custom checker to the list 
>>that  isn't so obvious? I could subclass Merlin and sort of brute 
>>force it  in if necessary, but if there's another way to set that up I 
>>would  much rather do that.
>>
>> Stephen W. Chappell
>>
>
>
>
>--
>Colm O hEigeartaigh
>
>Talend Community Coder
>http://coders.talend.com
>
>
>
>--
>Colm O hEigeartaigh
>
>Talend Community Coder
>http://coders.talend.com
>
>
>
>--
>Colm O hEigeartaigh
>
>Talend Community Coder
>http://coders.talend.com

Re: Using a custom CertPathChecker

[Vishnu Radhakrishnan <vi...@10point1.com>]

>From the keytool man - it imports certificate chain, if input is given in
PKCS#7 format, otherwise only the single certificate is imported. You
should be able to convert certificates to PKCS#7 format with openssl, via
openssl crl2pkcs7 command.


On 2015-04-07, 10:17, "Stephen.CTR.Chappell@faa.gov"
<St...@faa.gov> wrote:

>Colm -
>
>This seems like it should be easier than it is, but can you point me to a
>resource for properly building a truststore with a certificate chain? I
>have separate keystores and trust stores for the STS, and the truststore
>should have a chain something like:
>
>Root CA >>> Intermediate CA >>> Issuing CA
>
>I had thought that if I added them with keytool in the right order, that
>keytool would establish a cert chain. Instead it just adds them as
>individual certificates with no cert chain to be found.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Tuesday, April 07, 2015 8:21 AM
>To: coheigea@apache.org
>Cc: users@cxf.apache.org
>Subject: RE: Using a custom CertPathChecker
>
>Well, that must be the issue. I just ran it through the debugger, and
>getCertificateChain is returning null each time. I¹ve added code in my
>subclassed Merlin to be able to walk up the tree, but it¹d be more
>efficient if the truststore was built properly so I¹ll try to figure that
>out.
>
>Stephen W. Chappell
>
>From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
>Sent: Tuesday, April 07, 2015 8:12 AM
>To: Chappell, Stephen CTR (FAA)
>Cc: users@cxf.apache.org
>Subject: Re: Using a custom CertPathChecker
>
>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain using
>individual certs stored in the truststore, the intermediate cert must
>have the issuing cert stored as part of the certificate chain entry.
>Colm.
>
>On Tue, Apr 7, 2015 at 1:02 PM,
><St...@faa.gov>> wrote:
>Colm ­
>
>That is the case, at least I thought it was. The truststore has certs for
>the issuer, intermediate, and root CA, plus a few other miscellaneous
>certs. I¹ll run it through the debugger later this morning and see what
>turns up.
>
>Stephen W. Chappell
>
>From: Colm O hEigeartaigh
>[mailto:coheigea@apache.org<ma...@apache.org>]
>Sent: Tuesday, April 07, 2015 7:59 AM
>To: Chappell, Stephen CTR (FAA)
>Cc: users@cxf.apache.org<ma...@cxf.apache.org>
>Subject: Re: Using a custom CertPathChecker
>
>"getX509Certificates" calls "getCertificates" which (first) calls
>"getCertificateChain" on the keystore. Your intermediate CA should have
>the issuing CA certs stored as part of the entry in the
>keystore/truststore. Is this not the case? Can you debug into
>getCertificates() and find out why it is only returning a single cert?
>Colm.
>
>On Fri, Apr 3, 2015 at 3:34 PM,
><St...@faa.gov>> wrote:
>Colm -
>
>While I was mucking around in Merlin, I noted that in the "second step"
>section of verifyTrust, only the immediate issuer of the cert to be
>checked is added to the cert path (at least in my case, when
>getX509Certificates only returns a single cert rather than a cert chain).
>I have a requirement to validate all the certs in the cert path, which in
>my case has an additional intermediate before getting to the trust
>anchor. I'm able to loop there and get everything into the cert path,
>which seems to get everything revocation checked so that is good. But I
>was curious why only the immediate issuer was added to begin with - is
>there some issue I should be considering that I'm not?
>
>There's also an open question (or rather, open disagreement) about
>revocation checking the Root CA cert, but this list is probably not the
>right place for that discussion.
>
>Stephen W. Chappell
>
>-----Original Message-----
>From: Chappell, Stephen CTR (FAA)
>Sent: Friday, April 03, 2015 9:56 AM
>To: users@cxf.apache.org<ma...@cxf.apache.org>;
>coheigea@apache.org<ma...@apache.org>
>Subject: RE: Using a custom CertPathChecker
>
>Colm -
>
>No, I don't have any better suggestions. In fact, subclassing Merlin and
>adding a method to configure additional PKIX parameters is exactly what I
>did.
>
>Thanx,
>Stephen W. Chappell
>
>-----Original Message-----
>From: Colm O hEigeartaigh
>[mailto:coheigea@apache.org<ma...@apache.org>]
>Sent: Friday, April 03, 2015 9:47 AM
>To: users@cxf.apache.org<ma...@cxf.apache.org>
>Subject: Re: Using a custom CertPathChecker
>
>Hi Stephen,
>
>There is no way to add CertPathCheckers at the moment, beyond subclassing
>Merlin and overriding the "verifyTrust" method. I could add a method to
>customize the PKIXParameters object though, that could be overridden by a
>subclass though which would be better. Or do you have any other
>suggestions?
>
>Colm.
>
>On Tue, Mar 24, 2015 at 8:11 PM,
><St...@faa.gov>> wrote:
>
>> I have a requirement to use a custom CertPathChecker in my code. With
>> "bare" JVM, I can add the checker to my PKIXParameters and validate
>>away.
>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
>> hooks to add a custom checker or customize the PKIXParameters that are
>>being used.
>> Is there some other means for adding a custom checker to the list that
>> isn't so obvious? I could subclass Merlin and sort of brute force it
>> in if necessary, but if there's another way to set that up I would
>> much rather do that.
>>
>> Stephen W. Chappell
>>
>
>
>
>--
>Colm O hEigeartaigh
>
>Talend Community Coder
>http://coders.talend.com
>
>
>
>--
>Colm O hEigeartaigh
>
>Talend Community Coder
>http://coders.talend.com
>
>
>
>--
>Colm O hEigeartaigh
>
>Talend Community Coder
>http://coders.talend.com

RE: Using a custom CertPathChecker

[St...@faa.gov]

Colm -

This seems like it should be easier than it is, but can you point me to a resource for properly building a truststore with a certificate chain? I have separate keystores and trust stores for the STS, and the truststore should have a chain something like:

Root CA >>> Intermediate CA >>> Issuing CA

I had thought that if I added them with keytool in the right order, that keytool would establish a cert chain. Instead it just adds them as individual certificates with no cert chain to be found.

Stephen W. Chappell

-----Original Message-----
From: Chappell, Stephen CTR (FAA) 
Sent: Tuesday, April 07, 2015 8:21 AM
To: coheigea@apache.org
Cc: users@cxf.apache.org
Subject: RE: Using a custom CertPathChecker

Well, that must be the issue. I just ran it through the debugger, and getCertificateChain is returning null each time. I’ve added code in my subclassed Merlin to be able to walk up the tree, but it’d be more efficient if the truststore was built properly so I’ll try to figure that out.

Stephen W. Chappell

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Tuesday, April 07, 2015 8:12 AM
To: Chappell, Stephen CTR (FAA)
Cc: users@cxf.apache.org
Subject: Re: Using a custom CertPathChecker

Ok cool. Just bear in mind that WSS4J won't wire up the trust chain using individual certs stored in the truststore, the intermediate cert must have the issuing cert stored as part of the certificate chain entry.
Colm.

On Tue, Apr 7, 2015 at 1:02 PM, <St...@faa.gov>> wrote:
Colm –

That is the case, at least I thought it was. The truststore has certs for the issuer, intermediate, and root CA, plus a few other miscellaneous certs. I’ll run it through the debugger later this morning and see what turns up.

Stephen W. Chappell

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<ma...@apache.org>]
Sent: Tuesday, April 07, 2015 7:59 AM
To: Chappell, Stephen CTR (FAA)
Cc: users@cxf.apache.org<ma...@cxf.apache.org>
Subject: Re: Using a custom CertPathChecker

"getX509Certificates" calls "getCertificates" which (first) calls "getCertificateChain" on the keystore. Your intermediate CA should have the issuing CA certs stored as part of the entry in the keystore/truststore. Is this not the case? Can you debug into getCertificates() and find out why it is only returning a single cert?
Colm.

On Fri, Apr 3, 2015 at 3:34 PM, <St...@faa.gov>> wrote:
Colm -

While I was mucking around in Merlin, I noted that in the "second step" section of verifyTrust, only the immediate issuer of the cert to be checked is added to the cert path (at least in my case, when getX509Certificates only returns a single cert rather than a cert chain). I have a requirement to validate all the certs in the cert path, which in my case has an additional intermediate before getting to the trust anchor. I'm able to loop there and get everything into the cert path, which seems to get everything revocation checked so that is good. But I was curious why only the immediate issuer was added to begin with - is there some issue I should be considering that I'm not?

There's also an open question (or rather, open disagreement) about revocation checking the Root CA cert, but this list is probably not the right place for that discussion.

Stephen W. Chappell

-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Friday, April 03, 2015 9:56 AM
To: users@cxf.apache.org<ma...@cxf.apache.org>; coheigea@apache.org<ma...@apache.org>
Subject: RE: Using a custom CertPathChecker

Colm -

No, I don't have any better suggestions. In fact, subclassing Merlin and adding a method to configure additional PKIX parameters is exactly what I did.

Thanx,
Stephen W. Chappell

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org<ma...@apache.org>]
Sent: Friday, April 03, 2015 9:47 AM
To: users@cxf.apache.org<ma...@cxf.apache.org>
Subject: Re: Using a custom CertPathChecker

Hi Stephen,

There is no way to add CertPathCheckers at the moment, beyond subclassing Merlin and overriding the "verifyTrust" method. I could add a method to customize the PKIXParameters object though, that could be overridden by a subclass though which would be better. Or do you have any other suggestions?

Colm.

On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov>> wrote:

> I have a requirement to use a custom CertPathChecker in my code. With 
> "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any 
> hooks to add a custom checker or customize the PKIXParameters that are being used.
> Is there some other means for adding a custom checker to the list that 
> isn't so obvious? I could subclass Merlin and sort of brute force it 
> in if necessary, but if there's another way to set that up I would 
> much rather do that.
>
> Stephen W. Chappell
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Using a custom CertPathChecker

[St...@faa.gov]

Well, that must be the issue. I just ran it through the debugger, and getCertificateChain is returning null each time. I’ve added code in my subclassed Merlin to be able to walk up the tree, but it’d be more efficient if the truststore was built properly so I’ll try to figure that out.

Stephen W. Chappell

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Tuesday, April 07, 2015 8:12 AM
To: Chappell, Stephen CTR (FAA)
Cc: users@cxf.apache.org
Subject: Re: Using a custom CertPathChecker

Ok cool. Just bear in mind that WSS4J won't wire up the trust chain using individual certs stored in the truststore, the intermediate cert must have the issuing cert stored as part of the certificate chain entry.
Colm.

On Tue, Apr 7, 2015 at 1:02 PM, <St...@faa.gov>> wrote:
Colm –

That is the case, at least I thought it was. The truststore has certs for the issuer, intermediate, and root CA, plus a few other miscellaneous certs. I’ll run it through the debugger later this morning and see what turns up.

Stephen W. Chappell

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<ma...@apache.org>]
Sent: Tuesday, April 07, 2015 7:59 AM
To: Chappell, Stephen CTR (FAA)
Cc: users@cxf.apache.org<ma...@cxf.apache.org>
Subject: Re: Using a custom CertPathChecker

"getX509Certificates" calls "getCertificates" which (first) calls "getCertificateChain" on the keystore. Your intermediate CA should have the issuing CA certs stored as part of the entry in the keystore/truststore. Is this not the case? Can you debug into getCertificates() and find out why it is only returning a single cert?
Colm.

On Fri, Apr 3, 2015 at 3:34 PM, <St...@faa.gov>> wrote:
Colm -

While I was mucking around in Merlin, I noted that in the "second step" section of verifyTrust, only the immediate issuer of the cert to be checked is added to the cert path (at least in my case, when getX509Certificates only returns a single cert rather than a cert chain). I have a requirement to validate all the certs in the cert path, which in my case has an additional intermediate before getting to the trust anchor. I'm able to loop there and get everything into the cert path, which seems to get everything revocation checked so that is good. But I was curious why only the immediate issuer was added to begin with - is there some issue I should be considering that I'm not?

There's also an open question (or rather, open disagreement) about revocation checking the Root CA cert, but this list is probably not the right place for that discussion.

Stephen W. Chappell

-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Friday, April 03, 2015 9:56 AM
To: users@cxf.apache.org<ma...@cxf.apache.org>; coheigea@apache.org<ma...@apache.org>
Subject: RE: Using a custom CertPathChecker

Colm -

No, I don't have any better suggestions. In fact, subclassing Merlin and adding a method to configure additional PKIX parameters is exactly what I did.

Thanx,
Stephen W. Chappell

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org<ma...@apache.org>]
Sent: Friday, April 03, 2015 9:47 AM
To: users@cxf.apache.org<ma...@cxf.apache.org>
Subject: Re: Using a custom CertPathChecker

Hi Stephen,

There is no way to add CertPathCheckers at the moment, beyond subclassing Merlin and overriding the "verifyTrust" method. I could add a method to customize the PKIXParameters object though, that could be overridden by a subclass though which would be better. Or do you have any other suggestions?

Colm.

On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov>> wrote:

> I have a requirement to use a custom CertPathChecker in my code. With
> "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
> hooks to add a custom checker or customize the PKIXParameters that are being used.
> Is there some other means for adding a custom checker to the list that
> isn't so obvious? I could subclass Merlin and sort of brute force it
> in if necessary, but if there's another way to set that up I would
> much rather do that.
>
> Stephen W. Chappell
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Using a custom CertPathChecker

[Colm O hEigeartaigh <co...@apache.org>]

Ok cool. Just bear in mind that WSS4J won't wire up the trust chain using
individual certs stored in the truststore, the intermediate cert must have
the issuing cert stored as part of the certificate chain entry.

Colm.

On Tue, Apr 7, 2015 at 1:02 PM, <St...@faa.gov> wrote:

>  Colm –
>
>
>
> That is the case, at least I thought it was. The truststore has certs for
> the issuer, intermediate, and root CA, plus a few other miscellaneous
> certs. I’ll run it through the debugger later this morning and see what
> turns up.
>
>
>
> *Stephen W. Chappell*
>
>
>
> *From:* Colm O hEigeartaigh [mailto:coheigea@apache.org]
> *Sent:* Tuesday, April 07, 2015 7:59 AM
> *To:* Chappell, Stephen CTR (FAA)
> *Cc:* users@cxf.apache.org
> *Subject:* Re: Using a custom CertPathChecker
>
>
>
> "getX509Certificates" calls "getCertificates" which (first) calls
> "getCertificateChain" on the keystore. Your intermediate CA should have the
> issuing CA certs stored as part of the entry in the keystore/truststore. Is
> this not the case? Can you debug into getCertificates() and find out why it
> is only returning a single cert?
>
> Colm.
>
>
>
> On Fri, Apr 3, 2015 at 3:34 PM, <St...@faa.gov> wrote:
>
> Colm -
>
> While I was mucking around in Merlin, I noted that in the "second step"
> section of verifyTrust, only the immediate issuer of the cert to be checked
> is added to the cert path (at least in my case, when getX509Certificates
> only returns a single cert rather than a cert chain). I have a requirement
> to validate all the certs in the cert path, which in my case has an
> additional intermediate before getting to the trust anchor. I'm able to
> loop there and get everything into the cert path, which seems to get
> everything revocation checked so that is good. But I was curious why only
> the immediate issuer was added to begin with - is there some issue I should
> be considering that I'm not?
>
> There's also an open question (or rather, open disagreement) about
> revocation checking the Root CA cert, but this list is probably not the
> right place for that discussion.
>
> Stephen W. Chappell
>
> -----Original Message-----
>
> From: Chappell, Stephen CTR (FAA)
> Sent: Friday, April 03, 2015 9:56 AM
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: RE: Using a custom CertPathChecker
>
> Colm -
>
> No, I don't have any better suggestions. In fact, subclassing Merlin and
> adding a method to configure additional PKIX parameters is exactly what I
> did.
>
> Thanx,
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, April 03, 2015 9:47 AM
> To: users@cxf.apache.org
> Subject: Re: Using a custom CertPathChecker
>
> Hi Stephen,
>
> There is no way to add CertPathCheckers at the moment, beyond subclassing
> Merlin and overriding the "verifyTrust" method. I could add a method to
> customize the PKIXParameters object though, that could be overridden by a
> subclass though which would be better. Or do you have any other suggestions?
>
> Colm.
>
> On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov> wrote:
>
> > I have a requirement to use a custom CertPathChecker in my code. With
> > "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
> > hooks to add a custom checker or customize the PKIXParameters that are
> being used.
> > Is there some other means for adding a custom checker to the list that
> > isn't so obvious? I could subclass Merlin and sort of brute force it
> > in if necessary, but if there's another way to set that up I would
> > much rather do that.
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
> --
>
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Using a custom CertPathChecker

[St...@faa.gov]

Colm –

That is the case, at least I thought it was. The truststore has certs for the issuer, intermediate, and root CA, plus a few other miscellaneous certs. I’ll run it through the debugger later this morning and see what turns up.

Stephen W. Chappell

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Tuesday, April 07, 2015 7:59 AM
To: Chappell, Stephen CTR (FAA)
Cc: users@cxf.apache.org
Subject: Re: Using a custom CertPathChecker

"getX509Certificates" calls "getCertificates" which (first) calls "getCertificateChain" on the keystore. Your intermediate CA should have the issuing CA certs stored as part of the entry in the keystore/truststore. Is this not the case? Can you debug into getCertificates() and find out why it is only returning a single cert?
Colm.

On Fri, Apr 3, 2015 at 3:34 PM, <St...@faa.gov>> wrote:
Colm -

While I was mucking around in Merlin, I noted that in the "second step" section of verifyTrust, only the immediate issuer of the cert to be checked is added to the cert path (at least in my case, when getX509Certificates only returns a single cert rather than a cert chain). I have a requirement to validate all the certs in the cert path, which in my case has an additional intermediate before getting to the trust anchor. I'm able to loop there and get everything into the cert path, which seems to get everything revocation checked so that is good. But I was curious why only the immediate issuer was added to begin with - is there some issue I should be considering that I'm not?

There's also an open question (or rather, open disagreement) about revocation checking the Root CA cert, but this list is probably not the right place for that discussion.

Stephen W. Chappell

-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Friday, April 03, 2015 9:56 AM
To: users@cxf.apache.org<ma...@cxf.apache.org>; coheigea@apache.org<ma...@apache.org>
Subject: RE: Using a custom CertPathChecker

Colm -

No, I don't have any better suggestions. In fact, subclassing Merlin and adding a method to configure additional PKIX parameters is exactly what I did.

Thanx,
Stephen W. Chappell

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org<ma...@apache.org>]
Sent: Friday, April 03, 2015 9:47 AM
To: users@cxf.apache.org<ma...@cxf.apache.org>
Subject: Re: Using a custom CertPathChecker

Hi Stephen,

There is no way to add CertPathCheckers at the moment, beyond subclassing Merlin and overriding the "verifyTrust" method. I could add a method to customize the PKIXParameters object though, that could be overridden by a subclass though which would be better. Or do you have any other suggestions?

Colm.

On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov>> wrote:

> I have a requirement to use a custom CertPathChecker in my code. With
> "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
> hooks to add a custom checker or customize the PKIXParameters that are being used.
> Is there some other means for adding a custom checker to the list that
> isn't so obvious? I could subclass Merlin and sort of brute force it
> in if necessary, but if there's another way to set that up I would
> much rather do that.
>
> Stephen W. Chappell
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Using a custom CertPathChecker

[Colm O hEigeartaigh <co...@apache.org>]

"getX509Certificates" calls "getCertificates" which (first) calls
"getCertificateChain" on the keystore. Your intermediate CA should have the
issuing CA certs stored as part of the entry in the keystore/truststore. Is
this not the case? Can you debug into getCertificates() and find out why it
is only returning a single cert?

Colm.

On Fri, Apr 3, 2015 at 3:34 PM, <St...@faa.gov> wrote:

> Colm -
>
> While I was mucking around in Merlin, I noted that in the "second step"
> section of verifyTrust, only the immediate issuer of the cert to be checked
> is added to the cert path (at least in my case, when getX509Certificates
> only returns a single cert rather than a cert chain). I have a requirement
> to validate all the certs in the cert path, which in my case has an
> additional intermediate before getting to the trust anchor. I'm able to
> loop there and get everything into the cert path, which seems to get
> everything revocation checked so that is good. But I was curious why only
> the immediate issuer was added to begin with - is there some issue I should
> be considering that I'm not?
>
> There's also an open question (or rather, open disagreement) about
> revocation checking the Root CA cert, but this list is probably not the
> right place for that discussion.
>
> Stephen W. Chappell
>
> -----Original Message-----
> From: Chappell, Stephen CTR (FAA)
> Sent: Friday, April 03, 2015 9:56 AM
> To: users@cxf.apache.org; coheigea@apache.org
> Subject: RE: Using a custom CertPathChecker
>
> Colm -
>
> No, I don't have any better suggestions. In fact, subclassing Merlin and
> adding a method to configure additional PKIX parameters is exactly what I
> did.
>
> Thanx,
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, April 03, 2015 9:47 AM
> To: users@cxf.apache.org
> Subject: Re: Using a custom CertPathChecker
>
> Hi Stephen,
>
> There is no way to add CertPathCheckers at the moment, beyond subclassing
> Merlin and overriding the "verifyTrust" method. I could add a method to
> customize the PKIXParameters object though, that could be overridden by a
> subclass though which would be better. Or do you have any other suggestions?
>
> Colm.
>
> On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov> wrote:
>
> > I have a requirement to use a custom CertPathChecker in my code. With
> > "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
> > hooks to add a custom checker or customize the PKIXParameters that are
> being used.
> > Is there some other means for adding a custom checker to the list that
> > isn't so obvious? I could subclass Merlin and sort of brute force it
> > in if necessary, but if there's another way to set that up I would
> > much rather do that.
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Using a custom CertPathChecker

[St...@faa.gov]

Colm -

While I was mucking around in Merlin, I noted that in the "second step" section of verifyTrust, only the immediate issuer of the cert to be checked is added to the cert path (at least in my case, when getX509Certificates only returns a single cert rather than a cert chain). I have a requirement to validate all the certs in the cert path, which in my case has an additional intermediate before getting to the trust anchor. I'm able to loop there and get everything into the cert path, which seems to get everything revocation checked so that is good. But I was curious why only the immediate issuer was added to begin with - is there some issue I should be considering that I'm not?

There's also an open question (or rather, open disagreement) about revocation checking the Root CA cert, but this list is probably not the right place for that discussion.

Stephen W. Chappell

-----Original Message-----
From: Chappell, Stephen CTR (FAA) 
Sent: Friday, April 03, 2015 9:56 AM
To: users@cxf.apache.org; coheigea@apache.org
Subject: RE: Using a custom CertPathChecker

Colm -

No, I don't have any better suggestions. In fact, subclassing Merlin and adding a method to configure additional PKIX parameters is exactly what I did.

Thanx,
Stephen W. Chappell

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Friday, April 03, 2015 9:47 AM
To: users@cxf.apache.org
Subject: Re: Using a custom CertPathChecker

Hi Stephen,

There is no way to add CertPathCheckers at the moment, beyond subclassing Merlin and overriding the "verifyTrust" method. I could add a method to customize the PKIXParameters object though, that could be overridden by a subclass though which would be better. Or do you have any other suggestions?

Colm.

On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov> wrote:

> I have a requirement to use a custom CertPathChecker in my code. With 
> "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any 
> hooks to add a custom checker or customize the PKIXParameters that are being used.
> Is there some other means for adding a custom checker to the list that 
> isn't so obvious? I could subclass Merlin and sort of brute force it 
> in if necessary, but if there's another way to set that up I would 
> much rather do that.
>
> Stephen W. Chappell
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Using a custom CertPathChecker

[Colm O hEigeartaigh <co...@apache.org>]

Ok I've now merged a fix to WSS4J for this.

Colm.

On Fri, Apr 3, 2015 at 2:56 PM, <St...@faa.gov> wrote:

> Colm -
>
> No, I don't have any better suggestions. In fact, subclassing Merlin and
> adding a method to configure additional PKIX parameters is exactly what I
> did.
>
> Thanx,
> Stephen W. Chappell
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, April 03, 2015 9:47 AM
> To: users@cxf.apache.org
> Subject: Re: Using a custom CertPathChecker
>
> Hi Stephen,
>
> There is no way to add CertPathCheckers at the moment, beyond subclassing
> Merlin and overriding the "verifyTrust" method. I could add a method to
> customize the PKIXParameters object though, that could be overridden by a
> subclass though which would be better. Or do you have any other suggestions?
>
> Colm.
>
> On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov> wrote:
>
> > I have a requirement to use a custom CertPathChecker in my code. With
> > "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> > But, using Merlin (in WSS4J 1.6.17), there don't appear to be any
> > hooks to add a custom checker or customize the PKIXParameters that are
> being used.
> > Is there some other means for adding a custom checker to the list that
> > isn't so obvious? I could subclass Merlin and sort of brute force it
> > in if necessary, but if there's another way to set that up I would
> > much rather do that.
> >
> > Stephen W. Chappell
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Using a custom CertPathChecker

[St...@faa.gov]

Colm -

No, I don't have any better suggestions. In fact, subclassing Merlin and adding a method to configure additional PKIX parameters is exactly what I did.

Thanx,
Stephen W. Chappell

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Friday, April 03, 2015 9:47 AM
To: users@cxf.apache.org
Subject: Re: Using a custom CertPathChecker

Hi Stephen,

There is no way to add CertPathCheckers at the moment, beyond subclassing Merlin and overriding the "verifyTrust" method. I could add a method to customize the PKIXParameters object though, that could be overridden by a subclass though which would be better. Or do you have any other suggestions?

Colm.

On Tue, Mar 24, 2015 at 8:11 PM, <St...@faa.gov> wrote:

> I have a requirement to use a custom CertPathChecker in my code. With 
> "bare" JVM, I can add the checker to my PKIXParameters and validate away.
> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any 
> hooks to add a custom checker or customize the PKIXParameters that are being used.
> Is there some other means for adding a custom checker to the list that 
> isn't so obvious? I could subclass Merlin and sort of brute force it 
> in if necessary, but if there's another way to set that up I would 
> much rather do that.
>
> Stephen W. Chappell
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com