You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2017/08/14 09:48:00 UTC
svn commit: r1804963 -
/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
Author: coheigea
Date: Mon Aug 14 09:48:00 2017
New Revision: 1804963
URL: http://svn.apache.org/viewvc?rev=1804963&view=rev
Log:
WSS-612 Updates CertificateStore to handle certificate chains. This closes #7.
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?rev=1804963&r1=1804962&r2=1804963&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java Mon Aug 14 09:48:00 2017
@@ -165,7 +165,7 @@ public class CertificateStore extends Cr
//
// FIRST step - Search the trusted certs for the transmitted certificate
//
- if (!enableRevocation) {
+ if (certs.length == 1 && !enableRevocation) {
String issuerString = certs[0].getIssuerX500Principal().getName();
BigInteger issuerSerial = certs[0].getSerialNumber();
@@ -190,22 +190,25 @@ public class CertificateStore extends Cr
// SECOND step - Search for the issuer cert (chain) of the transmitted certificate in the
// keystore or the truststore
//
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
String issuerString = certs[0].getIssuerX500Principal().getName();
- cryptoType.setSubjectDN(issuerString);
- X509Certificate[] foundCerts = getX509Certificates(cryptoType);
-
- // If the certs have not been found, the issuer is not in the keystore/truststore
- // As a direct result, do not trust the transmitted certificate
- if (foundCerts == null || foundCerts.length < 1) {
- String subjectString = certs[0].getSubjectX500Principal().getName();
- LOG.debug(
- "No certs found in keystore for issuer {} of certificate for {}", issuerString, subjectString
- );
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILURE, "certpath",
- new Object[] {"No trusted certs found"}
- );
+ X509Certificate[] foundCerts = new X509Certificate[0];
+ if (certs.length == 1) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
+ cryptoType.setSubjectDN(issuerString);
+ foundCerts = getX509Certificates(cryptoType);
+
+ // If the certs have not been found, the issuer is not in the keystore/truststore
+ // As a direct result, do not trust the transmitted certificate
+ if (foundCerts == null || foundCerts.length < 1) {
+ String subjectString = certs[0].getSubjectX500Principal().getName();
+ LOG.debug(
+ "No certs found in keystore for issuer {} of certificate for {}", issuerString, subjectString
+ );
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, "certpath",
+ new Object[] {"No trusted certs found"}
+ );
+ }
}
//
@@ -216,31 +219,16 @@ public class CertificateStore extends Cr
"Preparing to validate certificate path for issuer {}", issuerString
);
- //
- // Form a certificate chain from the transmitted certificate
- // and the certificate(s) of the issuer from the keystore/truststore
- //
- X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
- x509certs[0] = certs[0];
- System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
-
try {
- // Generate cert path
- List<X509Certificate> certList = Arrays.asList(x509certs);
- CertPath path = getCertificateFactory().generateCertPath(certList);
-
Set<TrustAnchor> set = new HashSet<>();
if (trustedCerts != null) {
for (X509Certificate cert : trustedCerts) {
TrustAnchor anchor =
- new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
+ new TrustAnchor(cert, null);
set.add(anchor);
}
}
- PKIXParameters param = new PKIXParameters(set);
- param.setRevocationEnabled(enableRevocation);
-
// Verify the trust path using the above settings
String provider = getCryptoProvider();
CertPathValidator validator = null;
@@ -249,7 +237,30 @@ public class CertificateStore extends Cr
} else {
validator = CertPathValidator.getInstance("PKIX", provider);
}
- validator.validate(path, param);
+
+ PKIXParameters param = new PKIXParameters(set);
+ param.setRevocationEnabled(enableRevocation);
+
+ if (foundCerts.length > 0) {
+ //
+ // Form a certificate chain from the transmitted certificate
+ // and the certificate(s) of the issuer from the keystore/truststore
+ //
+ X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
+ x509certs[0] = certs[0];
+ System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
+
+ // Generate cert path
+ List<X509Certificate> certList = Arrays.asList(x509certs);
+ CertPath path = getCertificateFactory().generateCertPath(certList);
+
+ validator.validate(path, param);
+ } else {
+ List<X509Certificate> certList = Arrays.asList(certs);
+ CertPath path = getCertificateFactory().generateCertPath(certList);
+
+ validator.validate(path, param);
+ }
} catch (java.security.NoSuchProviderException | NoSuchAlgorithmException
| java.security.cert.CertificateException
| java.security.InvalidAlgorithmParameterException