With the debug info I get: certpath: PKIXCertPathValidator.engineValidate()... certpath: AdaptableX509CertSelector.match: subject key IDs don't match. *Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80, 81, -87, 81, -36, 108, -3, -6, 28] *
*Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99, -87, -122, -61, -48, -111, -30, -80, 80, -99]* *certpath: NO - don't try this trustedCert* The first one(Expected) is the root CA and the second one(Cert's) is the intermediate CA. So it expect that both key identifier are same. I guess to check if it's a self-signed ? BTW I'm using java 8. Best Regards, Claude 2016-09-29 15:02 GMT+02:00 Claude Libois <[email protected]>: > Well unfortunately that doesn't work. I have debug till Merlin crypto java > file and saw that everything looks fine(chain path to check with client > cert+intermediate CA and trust anchor on intermediate CA). However the > validator seems to have a problem with this and since it's sun code it's a > bit harder to find why. > * if (provider == null || provider.length() == 0) {* > * validator = CertPathValidator.getInstance("PKIX");* > * } else {* > * validator = CertPathValidator.getInstance("PKIX", > provider);* > * }* > * validator.validate(path, param);* > I have decompiled some classe but can't debug since it's part of rt.jar. > I have enable the *-Djava.security.debug* and hope I will get usefull > info... > Claude > > 2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected]>: > >> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>: >> > Hello, >> > This problem might be more related to how java validate certificate but >> I >> > give a try here. >> > My client certificate chain is Root CA>Intermediate CA> client Cert. >> > I wish to only trust certificate coming from Intermediate CA and not the >> > Root CA. >> > However, I have noticed that the PKI validator(which is the default one) >> > called by the Merlin failed to validate : >> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Error >> > during certificate path validation: Path does not chain with any of the >> > trust anchors* >> > * at >> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >> y.java:160)* >> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)* >> > * at >> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSi >> gning.java:87)* >> > * at >> > client.OffresEmploiClientSigning.main(OffresEmploiClientSign >> ing.java:65)* >> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* >> > * at >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:57)* >> > * at >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43)* >> > * at java.lang.reflect.Method.invoke(Method.java:606)* >> > * at com.intellij.rt.execution.application.AppMain.main(AppMain. >> java:120)* >> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during >> certificate >> > path validation: Path does not chain with any of the trust anchors* >> > * at >> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >> ptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* >> > * at >> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >> ptor.handleMessage(Soap11FaultInInterceptor.java:52)* >> > * at >> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >> ptor.handleMessage(Soap11FaultInInterceptor.java:41)* >> > * at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> InterceptorChain.java:307)* >> > * at >> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserv >> er.onMessage(AbstractFaultChainInitiatorObserver.java:113)* >> > * at >> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto >> r.handleMessage(CheckFaultInterceptor.java:69)* >> > * at >> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto >> r.handleMessage(CheckFaultInterceptor.java:34)* >> > * at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> InterceptorChain.java:307)* >> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)* >> > * at >> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> m.handleResponseInternal(HTTPConduit.java:1645)* >> > * at >> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> m.handleResponse(HTTPConduit.java:1533)* >> > * at >> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> m.close(HTTPConduit.java:1336)* >> > * at >> > org.apache.cxf.transport.AbstractConduit.close(AbstractCondu >> it.java:56)* >> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit. >> java:652)* >> > * at >> > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS >> enderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)* >> > * at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> InterceptorChain.java:307)* >> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)* >> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)* >> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)* >> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)* >> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy. >> java:96)* >> > * at >> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >> y.java:138)* >> > >> > Is there a way to configure validation to trust non-selfsigned CA ? >> >> I guess that if you import only the Intermediate CA cert into your JKS >> as trusted certificate , certificate path validation doesn't required >> any more. >> >> >> >> > Best Regards, >> > Claude >> > >
