You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/07/17 12:31:37 UTC
svn commit: r1504070 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/crypto/
ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/
ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/
Author: coheigea
Date: Wed Jul 17 10:31:36 2013
New Revision: 1504070
URL: http://svn.apache.org/r1504070
Log:
Refactor Crypto "verifyTrust" interface
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?rev=1504070&r1=1504069&r2=1504070&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java Wed Jul 17 10:31:36 2013
@@ -46,6 +46,9 @@ import org.apache.wss4j.common.ext.WSSec
*/
public class CertificateStore extends CryptoBase {
+ private static final org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(CertificateStore.class);
+
private X509Certificate[] trustedCerts;
/**
@@ -137,16 +140,83 @@ public class CertificateStore extends Cr
*
* @param certs Certificate chain to validate
* @param enableRevocation whether to enable CRL verification or not
- * @return true if the certificate chain is valid, false otherwise
- * @throws WSSecurityException
+ * @throws WSSecurityException if the certificate chain is invalid
*/
- public boolean verifyTrust(
+ public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation
) throws WSSecurityException {
+ //
+ // FIRST step - Search the trusted certs for the transmitted certificate
+ //
+ if (!enableRevocation) {
+ String issuerString = certs[0].getIssuerX500Principal().getName();
+ BigInteger issuerSerial = certs[0].getSerialNumber();
+
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
+ cryptoType.setIssuerSerial(issuerString, issuerSerial);
+ X509Certificate[] foundCerts = getX509Certificates(cryptoType);
+
+ //
+ // If a certificate has been found, the certificates must be compared
+ // to ensure against phony DNs (compare encoded form including signature)
+ //
+ if (foundCerts != null && foundCerts[0] != null && foundCerts[0].equals(certs[0])) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "Direct trust for certificate with " + certs[0].getSubjectX500Principal().getName()
+ );
+ }
+ return;
+ }
+ }
+
+
+ //
+ // SECOND step - Search for the issuer cert (chain) of the transmitted certificate in the
+ // keystore or the truststore
+ //
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
+ String issuerString = certs[0].getIssuerX500Principal().getName();
+ cryptoType.setSubjectDN(issuerString);
+ X509Certificate[] foundCerts = getX509Certificates(cryptoType);
+
+ // If the certs have not been found, the issuer is not in the keystore/truststore
+ // As a direct result, do not trust the transmitted certificate
+ if (foundCerts == null || foundCerts.length < 1) {
+ String subjectString = certs[0].getSubjectX500Principal().getName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "No certs found in keystore for issuer " + issuerString
+ + " of certificate for " + subjectString
+ );
+ }
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "certpath", "No trusted certs found"
+ );
+ }
+
+ //
+ // THIRD step
+ // Check the certificate trust path for the issuer cert chain
+ //
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "Preparing to validate certificate path for issuer " + issuerString
+ );
+ }
+
+ //
+ // Form a certificate chain from the transmitted certificate
+ // and the certificate(s) of the issuer from the keystore/truststore
+ //
+ X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
+ x509certs[0] = certs[0];
+ System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
+
try {
// Generate cert path
- List<X509Certificate> certList = Arrays.asList(certs);
+ List<X509Certificate> certList = Arrays.asList(x509certs);
CertPath path = getCertificateFactory().generateCertPath(certList);
Set<TrustAnchor> set = new HashSet<TrustAnchor>();
@@ -170,7 +240,6 @@ public class CertificateStore extends Cr
validator = CertPathValidator.getInstance("PKIX", provider);
}
validator.validate(path, param);
- return true;
} catch (java.security.NoSuchProviderException e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
@@ -203,14 +272,14 @@ public class CertificateStore extends Cr
* Evaluate whether a given public key should be trusted.
*
* @param publicKey The PublicKey to be evaluated
- * @return whether the PublicKey parameter is trusted or not
+ * @throws WSSecurityException if the PublicKey is invalid
*/
- public boolean verifyTrust(PublicKey publicKey) throws WSSecurityException {
+ public void verifyTrust(PublicKey publicKey) throws WSSecurityException {
//
// If the public key is null, do not trust the signature
//
if (publicKey == null) {
- return false;
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
//
@@ -218,10 +287,10 @@ public class CertificateStore extends Cr
//
for (X509Certificate trustedCert : trustedCerts) {
if (publicKey.equals(trustedCert.getPublicKey())) {
- return true;
+ return;
}
}
- return false;
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
/**
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java?rev=1504070&r1=1504069&r2=1504070&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java Wed Jul 17 10:31:36 2013
@@ -183,10 +183,9 @@ public interface Crypto {
*
* @param certs Certificate chain to validate
* @param enableRevocation whether to enable CRL verification or not
- * @return true if the certificate chain is valid, false otherwise
- * @throws WSSecurityException
+ * @throws WSSecurityException if the certificate chain is invalid
*/
- boolean verifyTrust(
+ void verifyTrust(
X509Certificate[] certs, boolean enableRevocation
) throws WSSecurityException;
@@ -194,8 +193,8 @@ public interface Crypto {
* Evaluate whether a given public key should be trusted.
*
* @param publicKey The PublicKey to be evaluated
- * @return whether the PublicKey parameter is trusted or not
+ * @throws WSSecurityException if the PublicKey is invalid
*/
- boolean verifyTrust(PublicKey publicKey) throws WSSecurityException;
+ void verifyTrust(PublicKey publicKey) throws WSSecurityException;
}
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java?rev=1504070&r1=1504069&r2=1504070&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java Wed Jul 17 10:31:36 2013
@@ -771,20 +771,88 @@ public class Merlin extends CryptoBase {
/**
* Evaluate whether a given certificate chain should be trusted.
- * Uses the CertPath API to validate a given certificate chain.
*
* @param certs Certificate chain to validate
* @param enableRevocation whether to enable CRL verification or not
- * @return true if the certificate chain is valid, false otherwise
- * @throws WSSecurityException
+ * @throws WSSecurityException if the certificate chain is invalid
*/
- public boolean verifyTrust(
+ public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation
) throws WSSecurityException {
+ //
+ // FIRST step - Search the keystore for the transmitted certificate
+ //
+ if (certs.length == 1 && !enableRevocation) {
+ String issuerString = certs[0].getIssuerX500Principal().getName();
+ BigInteger issuerSerial = certs[0].getSerialNumber();
+
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
+ cryptoType.setIssuerSerial(issuerString, issuerSerial);
+ X509Certificate[] foundCerts = getX509Certificates(cryptoType);
+
+ //
+ // If a certificate has been found, the certificates must be compared
+ // to ensure against phony DNs (compare encoded form including signature)
+ //
+ if (foundCerts != null && foundCerts[0] != null && foundCerts[0].equals(certs[0])) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "Direct trust for certificate with " + certs[0].getSubjectX500Principal().getName()
+ );
+ }
+ return;
+ }
+ }
+
+ //
+ // SECOND step - Search for the issuer cert (chain) of the transmitted certificate in the
+ // keystore or the truststore
+ //
+ X509Certificate[] x509certs = certs;
+ String issuerString = certs[0].getIssuerX500Principal().getName();
+ if (certs.length == 1) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
+ cryptoType.setSubjectDN(issuerString);
+ X509Certificate[] foundCerts = getX509Certificates(cryptoType);
+
+ // If the certs have not been found, the issuer is not in the keystore/truststore
+ // As a direct result, do not trust the transmitted certificate
+ if (foundCerts == null || foundCerts.length < 1) {
+ String subjectString = certs[0].getSubjectX500Principal().getName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "No certs found in keystore for issuer " + issuerString
+ + " of certificate for " + subjectString
+ );
+ }
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "certpath", "No trusted certs found"
+ );
+ }
+
+ //
+ // Form a certificate chain from the transmitted certificate
+ // and the certificate(s) of the issuer from the keystore/truststore
+ //
+ x509certs = new X509Certificate[foundCerts.length + 1];
+ x509certs[0] = certs[0];
+ System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
+ }
+
+ //
+ // THIRD step
+ // Check the certificate trust path for the issuer cert chain
+ //
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(
+ "Preparing to validate certificate path for issuer " + issuerString
+ );
+ }
+
try {
// Generate cert path
- List<X509Certificate> certList = Arrays.asList(certs);
+ List<X509Certificate> certList = Arrays.asList(x509certs);
CertPath path = getCertificateFactory().generateCertPath(certList);
Set<TrustAnchor> set = new HashSet<TrustAnchor>();
@@ -836,7 +904,6 @@ public class Merlin extends CryptoBase {
validator = CertPathValidator.getInstance("PKIX", provider);
}
validator.validate(path, param);
- return true;
} catch (java.security.NoSuchProviderException e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "certpath",
@@ -881,32 +948,24 @@ public class Merlin extends CryptoBase {
* Evaluate whether a given public key should be trusted.
*
* @param publicKey The PublicKey to be evaluated
- * @return whether the PublicKey parameter is trusted or not
+ * @throws WSSecurityException if the PublicKey is invalid
*/
- public boolean verifyTrust(PublicKey publicKey) throws WSSecurityException {
+ public void verifyTrust(PublicKey publicKey) throws WSSecurityException {
//
// If the public key is null, do not trust the signature
//
if (publicKey == null) {
- return false;
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
//
- // Search the keystore for the transmitted public key (direct trust)
+ // Search the keystore for the transmitted public key (direct trust). If not found
+ // then search the truststore for the transmitted public key (direct trust)
//
- boolean trust = findPublicKeyInKeyStore(publicKey, keystore);
- if (trust) {
- return true;
- } else {
- //
- // Now search the truststore for the transmitted public key (direct trust)
- //
- trust = findPublicKeyInKeyStore(publicKey, truststore);
- if (trust) {
- return true;
- }
+ if (!findPublicKeyInKeyStore(publicKey, keystore)
+ && !findPublicKeyInKeyStore(publicKey, truststore)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
- return false;
}
/**
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java?rev=1504070&r1=1504069&r2=1504070&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java Wed Jul 17 10:31:36 2013
@@ -19,7 +19,6 @@
package org.apache.wss4j.dom.validate;
-import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
@@ -29,8 +28,6 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.CryptoType;
-import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.handler.RequestData;
@@ -67,22 +64,12 @@ public class SignatureTrustValidator imp
if (certs != null && certs.length > 0) {
validateCertificates(certs);
- boolean trust = false;
- boolean enableRevocation = data.isRevocationEnabled();
- if (certs.length == 1) {
- trust = verifyTrustInCert(certs[0], crypto, data, enableRevocation);
- } else {
- trust = verifyTrustInCerts(certs, crypto, data, enableRevocation);
- }
- if (trust) {
- return credential;
- }
+ verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled());
+ return credential;
}
if (publicKey != null) {
- boolean trust = validatePublicKey(publicKey, crypto);
- if (trust) {
- return credential;
- }
+ validatePublicKey(publicKey, crypto);
+ return credential;
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
@@ -115,204 +102,44 @@ public class SignatureTrustValidator imp
}
/**
- * Evaluate whether a given certificate should be trusted.
- *
- * Policy used in this implementation:
- * 1. Search the keystore for the transmitted certificate
- * 2. Search the keystore for a connection to the transmitted certificate
- * (that is, search for certificate(s) of the issuer of the transmitted certificate
- * 3. Verify the trust path for those certificates found because the search for the issuer
- * might be fooled by a phony DN (String!)
- *
- * @param cert the certificate that should be validated against the keystore
- * @param crypto A crypto instance to use for trust validation
- * @param data A RequestData instance
- * @param enableRevocation Whether revocation is enabled or not
- * @return true if the certificate is trusted, false if not
- * @throws WSSecurityException
- */
- protected boolean verifyTrustInCert(
- X509Certificate cert,
- Crypto crypto,
- RequestData data,
- boolean enableRevocation
- ) throws WSSecurityException {
- String subjectString = cert.getSubjectX500Principal().getName();
- String issuerString = cert.getIssuerX500Principal().getName();
- BigInteger issuerSerial = cert.getSerialNumber();
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Transmitted certificate has subject " + subjectString);
- LOG.debug(
- "Transmitted certificate has issuer " + issuerString + " (serial "
- + issuerSerial + ")"
- );
- }
-
- //
- // FIRST step - Search the keystore for the transmitted certificate
- //
- if (!enableRevocation && (crypto instanceof Merlin) && isCertificateInKeyStore(crypto, cert)) {
- return true;
- }
-
- //
- // SECOND step - Search for the issuer cert (chain) of the transmitted certificate in the
- // keystore or the truststore
- //
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
- cryptoType.setSubjectDN(issuerString);
- X509Certificate[] foundCerts = crypto.getX509Certificates(cryptoType);
-
- // If the certs have not been found, the issuer is not in the keystore/truststore
- // As a direct result, do not trust the transmitted certificate
- if (foundCerts == null || foundCerts.length < 1) {
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "No certs found in keystore for issuer " + issuerString
- + " of certificate for " + subjectString
- );
- }
- return false;
- }
-
- //
- // THIRD step
- // Check the certificate trust path for the issuer cert chain
- //
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "Preparing to validate certificate path for issuer " + issuerString
- );
- }
- //
- // Form a certificate chain from the transmitted certificate
- // and the certificate(s) of the issuer from the keystore/truststore
- //
- X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
- x509certs[0] = cert;
- System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
-
- //
- // Use the validation method from the crypto to check whether the subjects'
- // certificate was really signed by the issuer stated in the certificate
- //
- if (crypto.verifyTrust(x509certs, enableRevocation)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "Certificate path has been verified for certificate with subject "
- + subjectString
- );
- }
- Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
- if (matches(cert, subjectCertConstraints)) {
- return true;
- }
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "Certificate path could not be verified for certificate with subject "
- + subjectString
- );
- }
- return false;
- }
-
- /**
- * Check to see if the certificate argument is in the keystore
- * @param crypto A Crypto instance to use for trust validation
- * @param cert The certificate to check
- * @return true if cert is in the keystore
- * @throws WSSecurityException
- */
- protected boolean isCertificateInKeyStore(
- Crypto crypto,
- X509Certificate cert
- ) throws WSSecurityException {
- String issuerString = cert.getIssuerX500Principal().getName();
- BigInteger issuerSerial = cert.getSerialNumber();
-
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
- cryptoType.setIssuerSerial(issuerString, issuerSerial);
- X509Certificate[] foundCerts = crypto.getX509Certificates(cryptoType);
-
- //
- // If a certificate has been found, the certificates must be compared
- // to ensure against phony DNs (compare encoded form including signature)
- //
- if (foundCerts != null && foundCerts[0] != null && foundCerts[0].equals(cert)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "Direct trust for certificate with " + cert.getSubjectX500Principal().getName()
- );
- }
- return true;
- }
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "No certificate found for subject from issuer with " + issuerString
- + " (serial " + issuerSerial + ")"
- );
- }
- return false;
- }
-
- /**
* Evaluate whether the given certificate chain should be trusted.
*
* @param certificates the certificate chain that should be validated against the keystore
* @param crypto A Crypto instance
* @param data A RequestData instance
* @param enableRevocation Whether revocation is enabled or not
- * @return true if the certificate chain is trusted, false if not
- * @throws WSSecurityException
+ * @throws WSSecurityException if the certificate chain is not trusted
*/
- protected boolean verifyTrustInCerts(
+ protected void verifyTrustInCerts(
X509Certificate[] certificates,
Crypto crypto,
RequestData data,
boolean enableRevocation
) throws WSSecurityException {
- if (certificates == null || certificates.length < 2) {
- return false;
- }
-
String subjectString = certificates[0].getSubjectX500Principal().getName();
//
// Use the validation method from the crypto to check whether the subjects'
// certificate was really signed by the issuer stated in the certificate
//
- if (crypto.verifyTrust(certificates, enableRevocation)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug(
- "Certificate path has been verified for certificate with subject "
- + subjectString
- );
- }
- Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
- if (matches(certificates[0], subjectCertConstraints)) {
- return true;
- }
- }
-
+ crypto.verifyTrust(certificates, enableRevocation);
if (LOG.isDebugEnabled()) {
LOG.debug(
- "Certificate path could not be verified for certificate with subject "
- + subjectString
+ "Certificate path has been verified for certificate with subject " + subjectString
);
}
-
- return false;
+ Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
+ if (!matches(certificates[0], subjectCertConstraints)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
}
/**
* Validate a public key
* @throws WSSecurityException
*/
- protected boolean validatePublicKey(PublicKey publicKey, Crypto crypto)
+ protected void validatePublicKey(PublicKey publicKey, Crypto crypto)
throws WSSecurityException {
- return crypto.verifyTrust(publicKey);
+ crypto.verifyTrust(publicKey);
}
/**
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java?rev=1504070&r1=1504069&r2=1504070&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenNegativeTest.java Wed Jul 17 10:31:36 2013
@@ -267,7 +267,9 @@ public class SAMLTokenNegativeTest exten
Assert.fail("XMLStreamException expected");
} catch (XMLStreamException e) {
Assert.assertNotNull(e.getCause());
- Assert.assertEquals(e.getCause().getMessage(), "Error during certificate path validation: Path does not chain with any of the trust anchors");
+ Assert.assertTrue(e.getCause().getMessage().contains(
+ "Error during certificate path validation"
+ ));
}
}
}