I think the best way to proceed is to have both the root and intermediate CA in the truststore. Then override the SignatureTrustValidator in WSS4J to specify a constraint on the Issuer DN of the certificate (after validating the cert path as normal), to make sure that it's the Intermediate Certificate that's the Issuer and not the root cert.
Colm. On Fri, Sep 30, 2016 at 10:36 AM, Claude Libois <[email protected]> wrote: > Ok I have checked the RFC3280 http://www.ietf.org/rfc/rfc3280.txt which > defined the algorithm implemented by the SUN provider. > So we have a certificate path and a TrustAnchors which must respect the > following constraints: > > (a) for all x in {1, ..., n-1}, the subject of certificate x is > the issuer of certificate x+1; > *(b) certificate 1 is issued by the trust anchor;* > (c) certificate n is the certificate to be validated; and > > (d) for all x in {1, ..., n}, the certificate was valid at the > time in question. > > The problem is the point b. I have noticed that in the certificate path I > have the Intermediate CA as certificate 1 and the client certificate as > certificate 2. In my trust anchor set I got the Intermediate CA. > The problem is that as , the Intermediate CA is not self-signed, b is not > true. > While debugging the Merlin classe I have removed the Intermediate CA from > the path and then everything works fine. I'm using WSS4J 2.0.4 and don't > know if there is a way to fix this by a configuration or a bug(not sure > it's one) fix ? > Best Regards, > Claude > > > > 2016-09-29 15:31 GMT+02:00 Claude Libois <[email protected]>: > > > With the debug info I get: > > certpath: PKIXCertPathValidator.engineValidate()... > > certpath: AdaptableX509CertSelector.match: subject key IDs don't match. > > *Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, > -80, > > 81, -87, 81, -36, 108, -3, -6, 28] * > > > > *Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99, > > -87, -122, -61, -48, -111, -30, -80, 80, -99]* > > *certpath: NO - don't try this trustedCert* > > > > The first one(Expected) is the root CA and the second one(Cert's) is the > > intermediate CA. > > So it expect that both key identifier are same. I guess to check if it's > a > > self-signed ? > > BTW I'm using java 8. > > Best Regards, > > Claude > > > > 2016-09-29 15:02 GMT+02:00 Claude Libois <[email protected]>: > > > >> Well unfortunately that doesn't work. I have debug till Merlin crypto > >> java file and saw that everything looks fine(chain path to check with > >> client cert+intermediate CA and trust anchor on intermediate CA). > However > >> the validator seems to have a problem with this and since it's sun code > >> it's a bit harder to find why. > >> * if (provider == null || provider.length() == 0) {* > >> * validator = CertPathValidator.getInstance("PKIX");* > >> * } else {* > >> * validator = CertPathValidator.getInstance("PKIX", > >> provider);* > >> * }* > >> * validator.validate(path, param);* > >> I have decompiled some classe but can't debug since it's part of rt.jar. > >> I have enable the *-Djava.security.debug* and hope I will get usefull > >> info... > >> Claude > >> > >> 2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected]>: > >> > >>> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>: > >>> > Hello, > >>> > This problem might be more related to how java validate certificate > >>> but I > >>> > give a try here. > >>> > My client certificate chain is Root CA>Intermediate CA> client Cert. > >>> > I wish to only trust certificate coming from Intermediate CA and not > >>> the > >>> > Root CA. > >>> > However, I have noticed that the PKI validator(which is the default > >>> one) > >>> > called by the Merlin failed to validate : > >>> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: > >>> Error > >>> > during certificate path validation: Path does not chain with any of > the > >>> > trust anchors* > >>> > * at > >>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx > >>> y.java:160)* > >>> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)* > >>> > * at > >>> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSi > >>> gning.java:87)* > >>> > * at > >>> > client.OffresEmploiClientSigning.main(OffresEmploiClientSign > >>> ing.java:65)* > >>> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* > >>> > * at > >>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce > >>> ssorImpl.java:57)* > >>> > * at > >>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe > >>> thodAccessorImpl.java:43)* > >>> > * at java.lang.reflect.Method.invoke(Method.java:606)* > >>> > * at com.intellij.rt.execution.application.AppMain.main(AppMain.j > >>> ava:120)* > >>> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during > >>> certificate > >>> > path validation: Path does not chain with any of the trust anchors* > >>> > * at > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce > >>> ptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* > >>> > * at > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce > >>> ptor.handleMessage(Soap11FaultInInterceptor.java:52)* > >>> > * at > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce > >>> ptor.handleMessage(Soap11FaultInInterceptor.java:41)* > >>> > * at > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > >>> InterceptorChain.java:307)* > >>> > * at > >>> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserv > >>> er.onMessage(AbstractFaultChainInitiatorObserver.java:113)* > >>> > * at > >>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto > >>> r.handleMessage(CheckFaultInterceptor.java:69)* > >>> > * at > >>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto > >>> r.handleMessage(CheckFaultInterceptor.java:34)* > >>> > * at > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > >>> InterceptorChain.java:307)* > >>> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java > >>> :802)* > >>> > * at > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > >>> m.handleResponseInternal(HTTPConduit.java:1645)* > >>> > * at > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > >>> m.handleResponse(HTTPConduit.java:1533)* > >>> > * at > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > >>> m.close(HTTPConduit.java:1336)* > >>> > * at > >>> > org.apache.cxf.transport.AbstractConduit.close(AbstractCondu > >>> it.java:56)* > >>> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit. > >>> java:652)* > >>> > * at > >>> > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS > >>> enderEndingInterceptor.handleMessage(MessageSenderInterceptor.java: > 62)* > >>> > * at > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > >>> InterceptorChain.java:307)* > >>> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke( > ClientImpl.java:516)* > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)* > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)* > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)* > >>> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j > >>> ava:96)* > >>> > * at > >>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx > >>> y.java:138)* > >>> > > >>> > Is there a way to configure validation to trust non-selfsigned CA ? > >>> > >>> I guess that if you import only the Intermediate CA cert into your JKS > >>> as trusted certificate , certificate path validation doesn't required > >>> any more. > >>> > >>> > >>> > >>> > Best Regards, > >>> > Claude > >>> > >> > >> > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
