You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Ma...@fiducia.de on 2011/04/14 15:44:08 UTC
the new Crypto interface...
Hello,
I'm currently trying to migrate my project from wssj4 1.5.x to 1.6. But I
encountered problems with the new Crypto Interface. In the old version it
was possible to get all Certificates from the keystore (by getting the
KeyStore and so on). But now it is not possible anymore. I can get the
Certificates by type (alian, DN, Hash,...), but I can't get all of them.
Or maybe I just don't see the proper method...
My second issue: if I want do validate the trust chain, then I can use the
new method "Crypto.verifyTrust(...)". But it does not check the CRLs. What
have I to do to check the CRLs?
Up to wss4j 1.5 I coult get the KeyStore from the Crypto and then pass it
to the "CertPathValidator" (beside some other needed params). But now I
can't get the KeyStore...
Can some one help me with this issues?
Here are some snippets from my code for better understanding of this two
problems:
1) - iterating over all certificates:
...
Enumeration aliases = crypto.getKeyStore().aliases(); // <- I can't get the
keystore now...
while (aliases.hasMoreElements())
{
String debugAlias = aliases.nextElement().toString();
X509Certificate[] debugCertificates = crypto.getCertificates
(debugAlias);
...
}
2) - validating the certificate trust chain. with CRLs:
...
CertPath path = crypto.getCertificateFactory().generateCertPath
(certList); // <- List<X509Certificate>...
PKIXParameters param = new PKIXParameters(crypto.getKeyStore()); // <- I
can't get the keystore now...
param.addCertStore(crlCertStore);
param.setRevocationEnabled(true);
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX"
);
CertPathValidatorResult result = certPathValidator.validate(path, param);
...
If I could get the KeyStore, then both my problem would be solved. If I
could get all Certificates, then they would be solved too - in the second
case I can genereate a set of TrustAnchors from the certificates and pass
it to the PKIXParameters.
Greetings,
Marcin Markiewicz
----------------------------------------------------------------------------------------------------------------------------------------------
Fiducia IT AG
Fiduciastraße 20
76227 Karlsruhe
Sitz der Gesellschaft: Karlsruhe
AG Mannheim HRB 100059
Vorsitzender des Aufsichtsrats: Gregor Scheller
Vorsitzender des Vorstands: Michael Krings
Stellv. Vorsitzender des Vorstands: Klaus-Peter Bruns
Vorstand: Jens-Olaf Bartels, Hans-Peter Straberger
Umsatzsteuer-ID.Nr. DE143582320, http://www.fiducia.de
----------------------------------------------------------------------------------------------------------------------------------------------
Re: the new Crypto interface...
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Marcin,
You can't get the KeyStore object from the Crypto interface any more,
as the Crypto interface is meant to represent an implementation
independent way of obtaining certificates, etc. However, the default
implementation, which is Merlin, has a "getKeyStore()" method, so you
could just cast the Crypto object to Merlin and you should be set.
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?view=markup
Having said that, there's no reason the Crypto interface can't supply
all of the certificates, so if you want to open a JIRA against 1.6.1
for this then feel free to do so.
By the way, Merlin has it's own "verifyTrust" implementation, which
takes care of validating the certificate chain, except it doesn't use
CRLs. It's something I've been meaning to look in to, but haven't had
the time - I'm not sure off-hand why CRL revocation is turned off. If
it were turned on, would that functionality suit your needs?
Colm.
On Thu, Apr 14, 2011 at 2:44 PM, <Ma...@fiducia.de> wrote:
> Hello,
>
> I'm currently trying to migrate my project from wssj4 1.5.x to 1.6. But I
> encountered problems with the new Crypto Interface. In the old version it
> was possible to get all Certificates from the keystore (by getting the
> KeyStore and so on). But now it is not possible anymore. I can get the
> Certificates by type (alian, DN, Hash,...), but I can't get all of them.
> Or maybe I just don't see the proper method...
>
> My second issue: if I want do validate the trust chain, then I can use the
> new method "Crypto.verifyTrust(...)". But it does not check the CRLs. What
> have I to do to check the CRLs?
> Up to wss4j 1.5 I coult get the KeyStore from the Crypto and then pass it to
> the "CertPathValidator" (beside some other needed params). But now I can't
> get the KeyStore...
>
> Can some one help me with this issues?
>
> Here are some snippets from my code for better understanding of this two
> problems:
> 1) - iterating over all certificates:
> ...
> Enumeration aliases = crypto.getKeyStore().aliases(); // <- I can't get the
> keystore now...
> while (aliases.hasMoreElements())
> {
> String debugAlias = aliases.nextElement().toString();
> X509Certificate[] debugCertificates = crypto.getCertificates(debugAlias);
> ...
> }
>
> 2) - validating the certificate trust chain. with CRLs:
> ...
> CertPath path = crypto.getCertificateFactory().generateCertPath(certList);
> // <- List<X509Certificate>...
> PKIXParameters param = new PKIXParameters(crypto.getKeyStore()); // <- I
> can't get the keystore now...
> param.addCertStore(crlCertStore);
> param.setRevocationEnabled(true);
> CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
> CertPathValidatorResult result = certPathValidator.validate(path, param);
> ...
>
> If I could get the KeyStore, then both my problem would be solved. If I
> could get all Certificates, then they would be solved too - in the second
> case I can genereate a set of TrustAnchors from the certificates and pass it
> to the PKIXParameters.
>
> Greetings,
> Marcin Markiewicz
>
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Fiducia IT AG
> Fiduciastraße 20
> 76227 Karlsruhe
>
> Sitz der Gesellschaft: Karlsruhe
> AG Mannheim HRB 100059
>
> Vorsitzender des Aufsichtsrats: Gregor Scheller
> Vorsitzender des Vorstands: Michael Krings
> Stellv. Vorsitzender des Vorstands: Klaus-Peter Bruns
> Vorstand: Jens-Olaf Bartels, Hans-Peter Straberger
>
> Umsatzsteuer-ID.Nr. DE143582320, http://www.fiducia.de
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org