How to use multiple CRL with WSS4J ?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use multiple CRL with WSS4J ?

Claude Libois
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude

logWithIntermediateCaCrl.txt (22K) Download Attachment
logWithRootCaCrl.txt (28K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to use multiple CRL with WSS4J ?

Claude Libois
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }
Best Regards,
Claude
2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude


Merlin.java (81K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to use multiple CRL with WSS4J ?

Claude Libois
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <[hidden email]>:
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }
Best Regards,
Claude

2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude



Merlin.java (81K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to use multiple CRL with WSS4J ?

Claude Libois
Ok found your github. Will do a pull request.

2016-09-30 16:19 GMT+02:00 Claude Libois <[hidden email]>:
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <[hidden email]>:
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }
Best Regards,
Claude

2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude



Reply | Threaded
Open this post in threaded view
|

Re: How to use multiple CRL with WSS4J ?

Colm O hEigeartaigh-2
Yes please do a pull request, or create a JIRA and attach the diff there.

Colm.

On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <[hidden email]> wrote:
Ok found your github. Will do a pull request.

2016-09-30 16:19 GMT+02:00 Claude Libois <[hidden email]>:
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <[hidden email]>:
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }
Best Regards,
Claude

2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude






--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: How to use multiple CRL with WSS4J ?

Martin Gainty




From: [hidden email]
Date: Fri, 30 Sep 2016 15:42:53 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: [hidden email]

Yes please do a pull request, or create a JIRA and attach the diff there.

Colm.

On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <[hidden email]> wrote:
Ok found your github. Will do a pull request.

2016-09-30 16:19 GMT+02:00 Claude Libois <[hidden email]>:
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <[hidden email]>:
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }

MG> Merlin.java

          List<X509Certificate> certList = Arrays.asList(x509certs);

          CertPath path = getCertificateFactory().generateCertPath(certList);

MG>what I see from IBM:
  FileInputStream fis = new FileInputStream(filename);
    // instantiate a CertificateFactory for X.509
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    // extract the certification path from
    // the PKCS7 SignedData structure
    CertPath cp = cf.generateCertPath(fis, "PKCS7");

MG>is IBM doc incorrect?


Best Regards,
Claude

2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude






--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: How to use multiple CRL with WSS4J ?

Colm O hEigeartaigh-2
Martin, are you referring to the missing "PKCS7"? Merlin is designed to work with X.509 certificates, so it doesn't apply here.

Colm.

On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <[hidden email]> wrote:




From: [hidden email]
Date: Fri, 30 Sep 2016 15:42:53 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: [hidden email]

Yes please do a pull request, or create a JIRA and attach the diff there.

Colm.

On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <[hidden email]> wrote:
Ok found your github. Will do a pull request.

2016-09-30 16:19 GMT+02:00 Claude Libois <[hidden email]>:
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <[hidden email]>:
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }

MG> Merlin.java

          List<X509Certificate> certList = Arrays.asList(x509certs);

          CertPath path = getCertificateFactory().generateCertPath(certList);

MG>what I see from IBM:
  FileInputStream fis = new FileInputStream(filename);
    // instantiate a CertificateFactory for X.509
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    // extract the certification path from
    // the PKCS7 SignedData structure
    CertPath cp = cf.generateCertPath(fis, "PKCS7");

MG>is IBM doc incorrect?


Best Regards,
Claude

2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude






--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: How to use multiple CRL with WSS4J ?

Martin Gainty
Many Thanks for confirming the implementation for only X509 

Martin Gainty
______________________________________________
                                                                                                    




From: [hidden email]
Date: Fri, 30 Sep 2016 16:40:42 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: [hidden email]

Martin, are you referring to the missing "PKCS7"? Merlin is designed to work with X.509 certificates, so it doesn't apply here.

Colm.

On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <[hidden email]> wrote:




From: [hidden email]
Date: Fri, 30 Sep 2016 15:42:53 +0100
Subject: Re: How to use multiple CRL with WSS4J ?
To: [hidden email]

Yes please do a pull request, or create a JIRA and attach the diff there.

Colm.

On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <[hidden email]> wrote:
Ok found your github. Will do a pull request.

2016-09-30 16:19 GMT+02:00 Claude Libois <[hidden email]>:
New version with the trim() correctly done after the split not before...


2016-09-30 16:04 GMT+02:00 Claude Libois <[hidden email]>:
Found that it was not possible with Merlin cause it only allow to define a single CRL File.
I have done a quick change that enable a comma separated list of crl.
Here is the change. Can someone review it and if it's ok add it to the official source code ?
//
        // Load the CRL file
        //
        String crlLocations = properties.getProperty(prefix + X509_CRL_FILE);
        if (crlLocations != null) {
            crlLocations = crlLocations.trim();
            String[] splittedCrlsLocation=crlLocations.split(",");
            List<X509CRL> crls=new ArrayList();
            for (int i = 0; i < splittedCrlsLocation.length; i++) {
                String crlLocation = splittedCrlsLocation[i];
                InputStream is = loadInputStream(loader, crlLocation);

                try {
                    CertificateFactory cf = getCertificateFactory();
                    X509CRL crl = (X509CRL)cf.generateCRL(is);
                    crls.add(crl);
                } catch (Exception e) {
                    if (DO_DEBUG) {
                        LOG.debug(e.getMessage(), e);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
                } finally {
                    if (is != null) {
                        is.close();
                    }
                }
            }
            try {
                if (provider == null || provider.length() == 0) {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls)
                            );

                } else {
                    crlCertStore =
                            CertStore.getInstance(
                                    "Collection",
                                    new CollectionCertStoreParameters(crls),
                                    provider
                            );
                }
            } catch (Exception e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "ioError00", e);
            }
            if (DO_DEBUG) {
                LOG.debug(
                        "The CRL " + crlLocations + " has been loaded"
                );
            }

MG> Merlin.java

          List<X509Certificate> certList = Arrays.asList(x509certs);

          CertPath path = getCertificateFactory().generateCertPath(certList);

MG>what I see from IBM:
  FileInputStream fis = new FileInputStream(filename);
    // instantiate a CertificateFactory for X.509
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    // extract the certification path from
    // the PKCS7 SignedData structure
    CertPath cp = cf.generateCertPath(fis, "PKCS7");

MG>is IBM doc incorrect?


Best Regards,
Claude

2016-09-30 15:14 GMT+02:00 Claude Libois <[hidden email]>:
Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...

Best Regards,
Claude






--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Unsubscribe

ritesh
In reply to this post by Claude Libois
Unsubscribe