2016-09-30 11:36 GMT+02:00 Claude Libois <[email protected]>: > Ok I have checked the RFC3280 http://www.ietf.org/rfc/rfc3280.txt which > defined the algorithm implemented by the SUN provider. > So we have a certificate path and a TrustAnchors which must respect the > following constraints: > > (a) for all x in {1, ..., n-1}, the subject of certificate x is > the issuer of certificate x+1; > *(b) certificate 1 is issued by the trust anchor;* > (c) certificate n is the certificate to be validated; and > > (d) for all x in {1, ..., n}, the certificate was valid at the > time in question. > > The problem is the point b. I have noticed that in the certificate path I > have the Intermediate CA as certificate 1 and the client certificate as > certificate 2. > In my trust anchor set I got the Intermediate CA. > The problem is that as , the Intermediate CA is not self-signed, b is not > true.
I 'm not understanding ( my fault, for sure ) Intermediate CA be not self-signed cannot be a problem because, afaik, all intermediate CA aren't self-signed > While debugging the Merlin classe I have removed the Intermediate CA from > the path and then everything works fine. I'm using WSS4J 2.0.4 and don't > know if there is a way to fix this by a configuration or a bug(not sure > it's one) fix ? > Best Regards, > Claude > > > > 2016-09-29 15:31 GMT+02:00 Claude Libois <[email protected]>: > >> With the debug info I get: >> certpath: PKIXCertPathValidator.engineValidate()... >> certpath: AdaptableX509CertSelector.match: subject key IDs don't match. >> *Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80, >> 81, -87, 81, -36, 108, -3, -6, 28] * >> >> *Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99, >> -87, -122, -61, -48, -111, -30, -80, 80, -99]* >> *certpath: NO - don't try this trustedCert* >> >> The first one(Expected) is the root CA and the second one(Cert's) is the >> intermediate CA. >> So it expect that both key identifier are same. I guess to check if it's a >> self-signed ? >> BTW I'm using java 8. >> Best Regards, >> Claude >> >> 2016-09-29 15:02 GMT+02:00 Claude Libois <[email protected]>: >> >>> Well unfortunately that doesn't work. I have debug till Merlin crypto >>> java file and saw that everything looks fine(chain path to check with >>> client cert+intermediate CA and trust anchor on intermediate CA). However >>> the validator seems to have a problem with this and since it's sun code >>> it's a bit harder to find why. >>> * if (provider == null || provider.length() == 0) {* >>> * validator = CertPathValidator.getInstance("PKIX");* >>> * } else {* >>> * validator = CertPathValidator.getInstance("PKIX", >>> provider);* >>> * }* >>> * validator.validate(path, param);* >>> I have decompiled some classe but can't debug since it's part of rt.jar. >>> I have enable the *-Djava.security.debug* and hope I will get usefull >>> info... >>> Claude >>> >>> 2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected]>: >>> >>>> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>: >>>> > Hello, >>>> > This problem might be more related to how java validate certificate >>>> but I >>>> > give a try here. >>>> > My client certificate chain is Root CA>Intermediate CA> client Cert. >>>> > I wish to only trust certificate coming from Intermediate CA and not >>>> the >>>> > Root CA. >>>> > However, I have noticed that the PKI validator(which is the default >>>> one) >>>> > called by the Merlin failed to validate : >>>> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: >>>> Error >>>> > during certificate path validation: Path does not chain with any of the >>>> > trust anchors* >>>> > * at >>>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >>>> y.java:160)* >>>> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)* >>>> > * at >>>> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSi >>>> gning.java:87)* >>>> > * at >>>> > client.OffresEmploiClientSigning.main(OffresEmploiClientSign >>>> ing.java:65)* >>>> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* >>>> > * at >>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>> ssorImpl.java:57)* >>>> > * at >>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>> thodAccessorImpl.java:43)* >>>> > * at java.lang.reflect.Method.invoke(Method.java:606)* >>>> > * at com.intellij.rt.execution.application.AppMain.main(AppMain.j >>>> ava:120)* >>>> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during >>>> certificate >>>> > path validation: Path does not chain with any of the trust anchors* >>>> > * at >>>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >>>> ptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* >>>> > * at >>>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >>>> ptor.handleMessage(Soap11FaultInInterceptor.java:52)* >>>> > * at >>>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >>>> ptor.handleMessage(Soap11FaultInInterceptor.java:41)* >>>> > * at >>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>> InterceptorChain.java:307)* >>>> > * at >>>> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserv >>>> er.onMessage(AbstractFaultChainInitiatorObserver.java:113)* >>>> > * at >>>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto >>>> r.handleMessage(CheckFaultInterceptor.java:69)* >>>> > * at >>>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto >>>> r.handleMessage(CheckFaultInterceptor.java:34)* >>>> > * at >>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>> InterceptorChain.java:307)* >>>> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java >>>> :802)* >>>> > * at >>>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.handleResponseInternal(HTTPConduit.java:1645)* >>>> > * at >>>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.handleResponse(HTTPConduit.java:1533)* >>>> > * at >>>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.close(HTTPConduit.java:1336)* >>>> > * at >>>> > org.apache.cxf.transport.AbstractConduit.close(AbstractCondu >>>> it.java:56)* >>>> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit. >>>> java:652)* >>>> > * at >>>> > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS >>>> enderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)* >>>> > * at >>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>> InterceptorChain.java:307)* >>>> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)* >>>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)* >>>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)* >>>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)* >>>> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j >>>> ava:96)* >>>> > * at >>>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >>>> y.java:138)* >>>> > >>>> > Is there a way to configure validation to trust non-selfsigned CA ? >>>> >>>> I guess that if you import only the Intermediate CA cert into your JKS >>>> as trusted certificate , certificate path validation doesn't required >>>> any more. >>>> >>>> >>>> >>>> > Best Regards, >>>> > Claude >>>> >>> >>> >>
