[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: Re: How to use multiple CRL with WSS4J ?
From: Colm O hEigeartaigh <coheigea () apache ! org>
Date: 2016-09-30 15:40:42
Message-ID: CAB8XdGBQTOcXbZfF9+Ja0F+vgpcFqU5bqts01nGU07+u_DDxtw () mail ! gmail ! com
[Download RAW message or body]
Martin, are you referring to the missing "PKCS7"? Merlin is designed to
work with X.509 certificates, so it doesn't apply here.
Colm.
On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <mgainty@hotmail.com> wrote:
>
>
>
> ------------------------------
> From: coheigea@apache.org
> Date: Fri, 30 Sep 2016 15:42:53 +0100
> Subject: Re: How to use multiple CRL with WSS4J ?
> To: users@ws.apache.org
>
> Yes please do a pull request, or create a JIRA and attach the diff there.
>
> Colm.
>
> On Fri, Sep 30, 2016 at 3:23 PM, Claude Libois <clibois.work@gmail.com>
> wrote:
>
> Ok found your github. Will do a pull request.
>
> 2016-09-30 16:19 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
> New version with the trim() correctly done after the split not before...
>
>
> 2016-09-30 16:04 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
> Found that it was not possible with Merlin cause it only allow to define a
> single CRL File.
> I have done a quick change that enable a comma separated list of crl.
> Here is the change. Can someone review it and if it's ok add it to the
> official source code ?
> //
> // Load the CRL file
> //
> String crlLocations = properties.getProperty(prefix +
> X509_CRL_FILE);
> if (crlLocations != null) {
> crlLocations = crlLocations.trim();
> String[] splittedCrlsLocation=crlLocations.split(",");
> List<X509CRL> crls=new ArrayList();
> for (int i = 0; i < splittedCrlsLocation.length; i++) {
> String crlLocation = splittedCrlsLocation[i];
> InputStream is = loadInputStream(loader, crlLocation);
>
> try {
> CertificateFactory cf = getCertificateFactory();
> X509CRL crl = (X509CRL)cf.generateCRL(is);
> crls.add(crl);
> } catch (Exception e) {
> if (DO_DEBUG) {
> LOG.debug(e.getMessage(), e);
> }
> throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> "ioError00", e);
> } finally {
> if (is != null) {
> is.close();
> }
> }
> }
> try {
> if (provider == null || provider.length() == 0) {
> crlCertStore =
> CertStore.getInstance(
> "Collection",
> new CollectionCertStoreParameters(
> crls)
> );
>
> } else {
> crlCertStore =
> CertStore.getInstance(
> "Collection",
> new CollectionCertStoreParameters(
> crls),
> provider
> );
> }
> } catch (Exception e) {
> if (DO_DEBUG) {
> LOG.debug(e.getMessage(), e);
> }
> throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
> "ioError00", e);
> }
> if (DO_DEBUG) {
> LOG.debug(
> "The CRL " + crlLocations + " has been loaded"
> );
> }
>
> MG> Merlin.java
>
> List<X509Certificate> certList = Arrays.asList(x509certs);
>
> CertPath path = getCertificateFactory().
> generateCertPath(certList);
>
> MG>what I see from IBM:
>
> FileInputStream fis = new FileInputStream(filename);
> // instantiate a CertificateFactory for X.509
> CertificateFactory cf = CertificateFactory.getInstance("X.509");
> // extract the certification path from
> // the PKCS7 SignedData structure
> CertPath cp = cf.generateCertPath(fis, "PKCS7");
>
>
> MG>is IBM doc incorrect?
>
> http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/
> com.ibm.java.security.component.71.doc/security-component/certpathDocs/
> certificatefactory.html
>
> Best Regards,
> Claude
>
> 2016-09-30 15:14 GMT+02:00 Claude Libois <clibois.work@gmail.com>:
>
> Hi,
> I got the following pki chain Root CA>Intermediate CA>Client signing
> certificate
> A suggested by Colm, I have set in my truststore my Intermediate CA and my
> Root CA.
> However, by doing this, CRL verification doesn't work. In fact, it seems
> to validate my Intermediate CA against the Root CA crl while I'm only
> interested to verify the client certificate.
> I'm not sure how revocation validation works but it seems to validate CRL
> for every certificate(except the Root).
> However, I don't know how to specify multiple CRL in WSS4J or if it
> possible to merge 2 crl files into a common one ?
> I have provided 2 logs. The first one with the Intermediate CA CRL. We can
> see that validation of the Intermediate CA against Root CRL failed since
> it's not provided.
> The second one is with the Root CA CRL. Intermediate CA validation succeed
> but the signing certificate then failed...
>
> Best Regards,
> Claude
>
>
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
[Attachment #3 (text/html)]
<div dir="ltr"><div>Martin, are you referring to the missing "PKCS7"? \
Merlin is designed to work with X.509 certificates, so it doesn't apply \
here.<br><br></div>Colm.<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Fri, Sep 30, 2016 at 4:35 PM, Martin Gainty <span \
dir="ltr"><<a href="mailto:mgainty@hotmail.com" \
target="_blank">mgainty@hotmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div class="m_8626001980631921851hmmessage"><div dir="ltr"><br><br><br><div><hr \
id="m_8626001980631921851stopSpelling">From: <a href="mailto:coheigea@apache.org" \
target="_blank">coheigea@apache.org</a><br>Date: Fri, 30 Sep 2016 15:42:53 \
+0100<br>Subject: Re: How to use multiple CRL with WSS4J ?<br>To: <a \
href="mailto:users@ws.apache.org" target="_blank">users@ws.apache.org</a><br><br><div \
dir="ltr"><div>Yes please do a pull request, or create a JIRA and attach the diff \
there.<br><br></div>Colm.<br></div><div \
class="m_8626001980631921851ecxgmail_extra"><br><div \
class="m_8626001980631921851ecxgmail_quote">On Fri, Sep 30, 2016 at 3:23 PM, Claude \
Libois <span dir="ltr"><<a href="mailto:clibois.work@gmail.com" \
target="_blank">clibois.work@gmail.com</a>></span> wrote:<br><blockquote \
class="m_8626001980631921851ecxgmail_quote" style="border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Ok found your github. Will do a pull \
request.</div><div class="m_8626001980631921851ecxHOEnZb"><div \
class="m_8626001980631921851h5"><div \
class="m_8626001980631921851ecxgmail_extra"><br><div \
class="m_8626001980631921851ecxgmail_quote">2016-09-30 16:19 GMT+02:00 Claude Libois \
<span dir="ltr"><<a href="mailto:clibois.work@gmail.com" \
target="_blank">clibois.work@gmail.com</a>></span>:<br><blockquote \
class="m_8626001980631921851ecxgmail_quote" style="border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">New version with the trim() correctly done \
after the split not before...<div><br></div></div><div \
class="m_8626001980631921851ecxm_6092556628822825253HOEnZb"><div \
class="m_8626001980631921851ecxm_6092556628822825253h5"><div \
class="m_8626001980631921851ecxgmail_extra"><br><div \
class="m_8626001980631921851ecxgmail_quote">2016-09-30 16:04 GMT+02:00 Claude Libois \
<span dir="ltr"><<a href="mailto:clibois.work@gmail.com" \
target="_blank">clibois.work@gmail.com</a>></span>:<br><blockquote \
class="m_8626001980631921851ecxgmail_quote" style="border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Found that it was not possible with Merlin \
cause it only allow to define a single CRL File.<div>I have done a quick change that \
enable a comma separated list of crl.</div><div>Here is the change. Can someone \
review it and if it's ok add it to the official source code \
?</div><div><div><font size="1" color="#93c47d">//</font></div><div><font size="1" \
color="#93c47d"> // Load the CRL file</font></div><div><font size="1" \
color="#93c47d"> //</font></div><div><font size="1" color="#93c47d"> \
String crlLocations = properties.getProperty(prefix + \
X509_CRL_FILE);</font></div><div><font size="1" color="#93c47d"> if \
(crlLocations != null) {</font></div><div><font size="1" color="#93c47d"> \
crlLocations = crlLocations.trim();</font></div><div><font size="1" color="#93c47d"> \
String[] splittedCrlsLocation=crlLocati<wbr>ons.split(",");</font></div><div><font \
size="1" color="#93c47d"> List<X509CRL> crls=new \
ArrayList();</font></div><div><font size="1" color="#93c47d"> for \
(int i = 0; i < splittedCrlsLocation.length; i++) {</font></div><div><font \
size="1" color="#93c47d"> String crlLocation = \
splittedCrlsLocation[i];</font></div><div><font size="1" color="#93c47d"> \
InputStream is = loadInputStream(loader, crlLocation);</font></div><div><font \
size="1" color="#93c47d"><br></font></div><div><font size="1" color="#93c47d"> \
try {</font></div><div><font size="1" color="#93c47d"> \
CertificateFactory cf = getCertificateFactory();</font></div><div><font size="1" \
color="#93c47d"> X509CRL crl = \
(X509CRL)cf.generateCRL(is);</font></div><div><font size="1" color="#93c47d"> \
crls.add(crl);</font></div><div><font size="1" color="#93c47d"> \
} catch (Exception e) {</font></div><div><font size="1" color="#93c47d"> \
if (DO_DEBUG) {</font></div><div><font size="1" color="#93c47d"> \
LOG.debug(e.getMessage(), e);</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> throw \
new WSSecurityException(WSSecurity<wbr>Exception.ErrorCode.FAILURE, \
"ioError00", e);</font></div><div><font size="1" color="#93c47d"> \
} finally {</font></div><div><font size="1" color="#93c47d"> \
if (is != null) {</font></div><div><font size="1" color="#93c47d"> \
is.close();</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> try \
{</font></div><div><font size="1" color="#93c47d"> if \
(provider == null || provider.length() == 0) {</font></div><div><font size="1" \
color="#93c47d"> crlCertStore =</font></div><div><font \
size="1" color="#93c47d"> \
CertStore.getInstance(</font></div><div><font size="1" color="#93c47d"> \
"Collection",</font></div><div><font size="1" color="#93c47d"> \
new CollectionCertStoreParameters(<wbr>crls)</font></div><div><font size="1" \
color="#93c47d"> );</font></div><div><font \
size="1" color="#93c47d"><br></font></div><div><font size="1" color="#93c47d"> \
} else {</font></div><div><font size="1" color="#93c47d"> \
crlCertStore =</font></div><div><font size="1" color="#93c47d"> \
CertStore.getInstance(</font></div><div><font size="1" color="#93c47d"> \
"Collection",</font></div><div><font size="1" color="#93c47d"> \
new CollectionCertStoreParameters(<wbr>crls),</font></div><div><font size="1" \
color="#93c47d"> \
provider</font></div><div><font size="1" color="#93c47d"> \
);</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> } catch \
(Exception e) {</font></div><div><font size="1" color="#93c47d"> \
if (DO_DEBUG) {</font></div><div><font size="1" color="#93c47d"> \
LOG.debug(e.getMessage(), e);</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> throw new \
WSSecurityException(WSSecurity<wbr>Exception.ErrorCode.FAILURE, \
"ioError00", e);</font></div><div><font size="1" color="#93c47d"> \
}</font></div><div><font size="1" color="#93c47d"> if (DO_DEBUG) \
{</font></div><div><font size="1" color="#93c47d"> \
LOG.debug(</font></div><div><font size="1" color="#93c47d"> \
"The CRL " + crlLocations + " has been \
loaded"</font></div><div><font size="1" color="#93c47d"> \
);</font></div><div><font size="1" color="#93c47d"> \
}</font></div></div><div><font size="1" color="#93c47d"><br></font></div><div><font \
size="3" color="#ac193d">MG> Merlin.java</font></div><div><font size="3" \
color="#ac193d"><br> List<X509Certificate> certList = \
Arrays.asList(x509certs);</font></div><div><font size="3" \
color="#ac193d"><br></font></div><div><font size="3" color="#ac193d"> \
CertPath path = getCertificateFactory().<wbr>generateCertPath(certList);</font></div><div><font \
size="3" color="#ac193d"><br>MG>what I see from IBM:</font></div><div><pre \
class="m_8626001980631921851pre m_8626001980631921851codeblock" \
style="font-family:monospace,monospace;background-color:rgb(218,218,218);padding:5px;white-space:pre-wrap;word-wrap:break-word;overflow:auto;font-size:12.8px"><code \
style="font-family:monospace,monospace"> FileInputStream fis = new \
FileInputStream(filename); // instantiate a CertificateFactory for X.509
CertificateFactory cf = CertificateFactory.<wbr>getInstance("X.509");
// extract the certification path from
// the PKCS7 SignedData structure
CertPath cp = cf.generateCertPath(fis, "PKCS7");</code></pre></div><div \
class="m_8626001980631921851ecxgmail_extra"><br>MG>is IBM doc incorrect?</div><div \
class="m_8626001980631921851ecxgmail_extra"><br></div><div \
class="m_8626001980631921851ecxgmail_extra"><a \
href="http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/com.ibm.java.security.component.71.doc/security-component/certpathDocs/certificatefactory.html" \
target="_blank">http://www.ibm.com/support/<wbr>knowledgecenter/SSYKE2_7.1.0/<wbr>com. \
ibm.java.security.<wbr>component.71.doc/security-<wbr>component/certpathDocs/<wbr>certificatefactory.html</a></div><div \
class="m_8626001980631921851ecxgmail_extra"><br></div><div \
class="m_8626001980631921851ecxgmail_extra">Best Regards,</div><div \
class="m_8626001980631921851ecxgmail_extra">Claude<div><div \
class="m_8626001980631921851ecxm_6092556628822825253m_5659281105343799548h5"><br><div \
class="m_8626001980631921851ecxgmail_quote">2016-09-30 15:14 GMT+02:00 Claude Libois \
<span dir="ltr"><<a href="mailto:clibois.work@gmail.com" \
target="_blank">clibois.work@gmail.com</a>></span>:<br><blockquote \
class="m_8626001980631921851ecxgmail_quote" style="border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi,<div>I got the following pki chain Root \
CA>Intermediate CA>Client signing certificate<br><div>A suggested by Colm, I \
have set in my truststore my Intermediate CA and my Root CA.<br><div>However, by \
doing this, CRL verification doesn't work. In fact, it seems to validate my \
Intermediate CA against the Root CA crl while I'm only interested to verify the \
client certificate.</div></div></div><div>I'm not sure how revocation validation \
works but it seems to validate CRL for every certificate(except the \
Root).</div><div>However, I don't know how to specify multiple CRL in WSS4J or if \
it possible to merge 2 crl files into a common one ?</div><div>I have provided 2 \
logs. The first one with the Intermediate CA CRL. We can see that validation of the \
Intermediate CA against Root CRL failed since it's not provided.</div><div>The \
second one is with the Root CA CRL. Intermediate CA validation succeed but the \
signing certificate then failed...</div><div><br></div><div>Best \
Regards,</div><div>Claude</div></div> </blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div><span class="HOEnZb"><font color="#888888">
</font></span></div></div></blockquote></div><span class="HOEnZb"><font \
color="#888888"><br></font></span></div><span class="HOEnZb"><font \
color="#888888"><br clear="all"><br>-- <br><div \
class="m_8626001980631921851ecxgmail_signature" data-smartmail="gmail_signature">Colm \
O hEigeartaigh<br><br>Talend Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br></div></font></span></div> \
</div></div> </blockquote></div><br></div><br clear="all"><br>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature">Colm O \
hEigeartaigh<br><br>Talend Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic