'Re: how to disable basic constraints check in wss4j 2.3.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    Re: how to disable basic constraints check in wss4j 2.3.0
From:       Colm O hEigeartaigh <coheigea () apache ! org>
Date:       2020-09-17 16:36:26
Message-ID: CAB8XdGDm9OqHkvGcD1-5ida5Ors1uumuwov5z1ZyXxz_OvrT4g () mail ! gmail ! com
[Download RAW message or body]

The exception is being thrown by the JDK, so it looks like your CA cert is
not fit for purpose.

Colm.

On Thu, Sep 17, 2020 at 5:16 PM AKP P <amanleensf@gmail.com> wrote:

> Hi Colm,
> This is the stack trace I'm working on sharing a sample cert.
> 
> org.apache.wss4j.common.ext.WSSecurityException: Error during certificate
> path validation: basic constraints check failed: this is not a CA
> certificate
> Original Exception was java.security.cert.CertPathValidatorException:
> basic constraints check failed: this is not a CA certificate
> at
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891)
> at
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906)
> at
> org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:109)
>  at
> org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
>  at
> org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189)
>  at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
>  at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
>  at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
>  at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
>  at
> DigitalSignatureValidator.processSecurityHeader(DigitalSignatureValidator.java:78)
> at AppStarter.main(AppStarter.java:62)
> Caused by: java.security.cert.CertPathValidatorException: basic
> constraints check failed: this is not a CA certificate
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>  at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
>  at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
>  at
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
>  at
> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
> at
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:869)
> ... 10 more
> Caused by: java.security.cert.CertPathValidatorException: basic
> constraints check failed: this is not a CA certificate
> at
> sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259)
>  at
> sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122)
>  at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
>                 
> ... 15 more
> FAILED auth
> Exception in thread "main" java.lang.NullPointerException
> at AppStarter.main(AppStarter.java:63)
> 
> 
> 
> On 2020/09/16 09:38:12, Colm O hEigeartaigh <coheigea@apache.org> wrote:
> > What is the complete stack trace? A test-case with a sample cert to
> > reproduce the problem would be helpful.
> > 
> > Colm.
> > 
> > On Wed, Sep 16, 2020 at 2:31 AM Puri, Amanleen <apuri@visa.com> wrote:
> > 
> > > Hi,
> > > 
> > > I am using wss4j 2.3.0 to validate signature
> > > (wss4j-ws-security-dom-2.3.0.jar). However, the CA cert I use to
> initialize
> > > my crypto object does not have Subject Type and other basic
> constraints.
> > > Hence the signature validation fails with the following exception. The
> same
> > > cert worked in wss4j 1.5.
> > > 
> > > 
> > > 
> > > #Exception: java.security.cert.CertPathValidatorException: basic
> > > constraints check failed: this is not a CA certificate
> > > 
> > > 
> > > 
> > > #Ask: Is there a way I could disable basic constraints check in wss4j
> > > 2.3.0?
> > > 
> > > 
> > > 
> > > I'm calling , engine.processSecurityHeader where engine is an object of
> > > WSSecurityEngine.
> > > 
> > > 
> > > 
> > > Looking forward to hearing from you.
> > > 
> > > 
> > > 
> > > Best,
> > > 
> > > Amanleen
> > > 
> > 
> 


[Attachment #3 (text/html)]

<div dir="ltr"><div>The exception is being thrown by the JDK, so it looks like your \
CA cert is not fit for \
purpose.</div><div><br></div><div>Colm.<br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 17, 2020 at 5:16 PM \
AKP P &lt;<a href="mailto:amanleensf@gmail.com">amanleensf@gmail.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Colm,<br> This is \
the stack trace I&#39;m working on sharing a sample cert. <br> <br>
org.apache.wss4j.common.ext.WSSecurityException: Error during certificate path \
validation: basic constraints check failed: this is not a CA certificate<br> Original \
Exception was java.security.cert.CertPathValidatorException: basic constraints check \
                failed: this is not a CA certificate<br>
            at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891)<br>
            at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906)<br>
            at org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:109)<br>
                
            at org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)<br>
                
            at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189)<br>
                
            at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)<br>
                
            at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)<br>
                
            at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)<br>
                
            at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)<br>
                
            at DigitalSignatureValidator.processSecurityHeader(DigitalSignatureValidator.java:78)<br>
  at AppStarter.main(AppStarter.java:62)<br>
Caused by: java.security.cert.CertPathValidatorException: basic constraints check \
                failed: this is not a CA certificate<br>
            at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)<br>
                
            at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)<br>
                
            at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)<br>
                
            at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)<br>
                
            at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)<br>
                
            at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:869)<br>
            ... 10 more<br>
Caused by: java.security.cert.CertPathValidatorException: basic constraints check \
                failed: this is not a CA certificate<br>
            at sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259)<br>
                
            at sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122)<br>
                
            at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)<br>
                
            ... 15 more<br>
FAILED auth<br>
Exception in thread &quot;main&quot; java.lang.NullPointerException<br>
            at AppStarter.main(AppStarter.java:63)<br>
<br>
<br>
<br>
On 2020/09/16 09:38:12, Colm O hEigeartaigh &lt;<a href="mailto:coheigea@apache.org" \
target="_blank">coheigea@apache.org</a>&gt; wrote: <br> &gt; What is the complete \
stack trace? A test-case with a sample cert to<br> &gt; reproduce the problem would \
be helpful.<br> &gt; <br>
&gt; Colm.<br>
&gt; <br>
&gt; On Wed, Sep 16, 2020 at 2:31 AM Puri, Amanleen &lt;<a \
href="mailto:apuri@visa.com" target="_blank">apuri@visa.com</a>&gt; wrote:<br> &gt; \
<br> &gt; &gt; Hi,<br>
&gt; &gt;<br>
&gt; &gt; I am using wss4j 2.3.0 to validate signature<br>
&gt; &gt; (wss4j-ws-security-dom-2.3.0.jar). However, the CA cert I use to \
initialize<br> &gt; &gt; my crypto object does not have Subject Type and other basic \
constraints.<br> &gt; &gt; Hence the signature validation fails with the following \
exception. The same<br> &gt; &gt; cert worked in wss4j 1.5.<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; #Exception: java.security.cert.CertPathValidatorException: basic<br>
&gt; &gt; constraints check failed: this is not a CA certificate<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; #Ask: Is there a way I could disable basic constraints check in wss4j<br>
&gt; &gt; 2.3.0?<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; I'm calling , engine.processSecurityHeader where engine is an object of<br>
&gt; &gt; WSSecurityEngine.<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; Looking forward to hearing from you.<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; Best,<br>
&gt; &gt;<br>
&gt; &gt; Amanleen<br>
&gt; &gt;<br>
&gt; <br>
</blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic