[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: Re: how to disable basic constraints check in wss4j 2.3.0
From: Colm O hEigeartaigh <coheigea () apache ! org>
Date: 2020-09-17 16:36:26
Message-ID: CAB8XdGDm9OqHkvGcD1-5ida5Ors1uumuwov5z1ZyXxz_OvrT4g () mail ! gmail ! com
[Download RAW message or body]
The exception is being thrown by the JDK, so it looks like your CA cert is
not fit for purpose.
Colm.
On Thu, Sep 17, 2020 at 5:16 PM AKP P <amanleensf@gmail.com> wrote:
> Hi Colm,
> This is the stack trace I'm working on sharing a sample cert.
>
> org.apache.wss4j.common.ext.WSSecurityException: Error during certificate
> path validation: basic constraints check failed: this is not a CA
> certificate
> Original Exception was java.security.cert.CertPathValidatorException:
> basic constraints check failed: this is not a CA certificate
> at
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891)
> at
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906)
> at
> org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:109)
> at
> org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
> at
> org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189)
> at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
> at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)
> at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)
> at
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)
> at
> DigitalSignatureValidator.processSecurityHeader(DigitalSignatureValidator.java:78)
> at AppStarter.main(AppStarter.java:62)
> Caused by: java.security.cert.CertPathValidatorException: basic
> constraints check failed: this is not a CA certificate
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
> at
> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
> at
> org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:869)
> ... 10 more
> Caused by: java.security.cert.CertPathValidatorException: basic
> constraints check failed: this is not a CA certificate
> at
> sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259)
> at
> sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122)
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
>
> ... 15 more
> FAILED auth
> Exception in thread "main" java.lang.NullPointerException
> at AppStarter.main(AppStarter.java:63)
>
>
>
> On 2020/09/16 09:38:12, Colm O hEigeartaigh <coheigea@apache.org> wrote:
> > What is the complete stack trace? A test-case with a sample cert to
> > reproduce the problem would be helpful.
> >
> > Colm.
> >
> > On Wed, Sep 16, 2020 at 2:31 AM Puri, Amanleen <apuri@visa.com> wrote:
> >
> > > Hi,
> > >
> > > I am using wss4j 2.3.0 to validate signature
> > > (wss4j-ws-security-dom-2.3.0.jar). However, the CA cert I use to
> initialize
> > > my crypto object does not have Subject Type and other basic
> constraints.
> > > Hence the signature validation fails with the following exception. The
> same
> > > cert worked in wss4j 1.5.
> > >
> > >
> > >
> > > #Exception: java.security.cert.CertPathValidatorException: basic
> > > constraints check failed: this is not a CA certificate
> > >
> > >
> > >
> > > #Ask: Is there a way I could disable basic constraints check in wss4j
> > > 2.3.0?
> > >
> > >
> > >
> > > I'm calling , engine.processSecurityHeader where engine is an object of
> > > WSSecurityEngine.
> > >
> > >
> > >
> > > Looking forward to hearing from you.
> > >
> > >
> > >
> > > Best,
> > >
> > > Amanleen
> > >
> >
>
[Attachment #3 (text/html)]
<div dir="ltr"><div>The exception is being thrown by the JDK, so it looks like your \
CA cert is not fit for \
purpose.</div><div><br></div><div>Colm.<br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 17, 2020 at 5:16 PM \
AKP P <<a href="mailto:amanleensf@gmail.com">amanleensf@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Colm,<br> This is \
the stack trace I'm working on sharing a sample cert. <br> <br>
org.apache.wss4j.common.ext.WSSecurityException: Error during certificate path \
validation: basic constraints check failed: this is not a CA certificate<br> Original \
Exception was java.security.cert.CertPathValidatorException: basic constraints check \
failed: this is not a CA certificate<br>
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891)<br>
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906)<br>
at org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:109)<br>
at org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)<br>
at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189)<br>
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)<br>
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:221)<br>
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:168)<br>
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:127)<br>
at DigitalSignatureValidator.processSecurityHeader(DigitalSignatureValidator.java:78)<br>
at AppStarter.main(AppStarter.java:62)<br>
Caused by: java.security.cert.CertPathValidatorException: basic constraints check \
failed: this is not a CA certificate<br>
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)<br>
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)<br>
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)<br>
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)<br>
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)<br>
at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:869)<br>
... 10 more<br>
Caused by: java.security.cert.CertPathValidatorException: basic constraints check \
failed: this is not a CA certificate<br>
at sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259)<br>
at sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122)<br>
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)<br>
... 15 more<br>
FAILED auth<br>
Exception in thread "main" java.lang.NullPointerException<br>
at AppStarter.main(AppStarter.java:63)<br>
<br>
<br>
<br>
On 2020/09/16 09:38:12, Colm O hEigeartaigh <<a href="mailto:coheigea@apache.org" \
target="_blank">coheigea@apache.org</a>> wrote: <br> > What is the complete \
stack trace? A test-case with a sample cert to<br> > reproduce the problem would \
be helpful.<br> > <br>
> Colm.<br>
> <br>
> On Wed, Sep 16, 2020 at 2:31 AM Puri, Amanleen <<a \
href="mailto:apuri@visa.com" target="_blank">apuri@visa.com</a>> wrote:<br> > \
<br> > > Hi,<br>
> ><br>
> > I am using wss4j 2.3.0 to validate signature<br>
> > (wss4j-ws-security-dom-2.3.0.jar). However, the CA cert I use to \
initialize<br> > > my crypto object does not have Subject Type and other basic \
constraints.<br> > > Hence the signature validation fails with the following \
exception. The same<br> > > cert worked in wss4j 1.5.<br>
> ><br>
> ><br>
> ><br>
> > #Exception: java.security.cert.CertPathValidatorException: basic<br>
> > constraints check failed: this is not a CA certificate<br>
> ><br>
> ><br>
> ><br>
> > #Ask: Is there a way I could disable basic constraints check in wss4j<br>
> > 2.3.0?<br>
> ><br>
> ><br>
> ><br>
> > I'm calling , engine.processSecurityHeader where engine is an object of<br>
> > WSSecurityEngine.<br>
> ><br>
> ><br>
> ><br>
> > Looking forward to hearing from you.<br>
> ><br>
> ><br>
> ><br>
> > Best,<br>
> ><br>
> > Amanleen<br>
> ><br>
> <br>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic