No, but it would be pretty easy to implement as a custom extension of the SignatureTrustValidator.
Colm. On Fri, Sep 30, 2016 at 11:06 AM, Claude Libois <[email protected]> wrote: > Thanks for the answer, > Is there something like wss.subject.cert.constraints that could add a > constraint on the issuer DN ? > Best Regards, > Claude > > 2016-09-30 12:04 GMT+02:00 Colm O hEigeartaigh <[email protected]>: > >> I think the best way to proceed is to have both the root and intermediate >> CA in the truststore. Then override the SignatureTrustValidator in WSS4J >> to >> specify a constraint on the Issuer DN of the certificate (after validating >> the cert path as normal), to make sure that it's the Intermediate >> Certificate that's the Issuer and not the root cert. >> >> Colm. >> >> On Fri, Sep 30, 2016 at 10:36 AM, Claude Libois <[email protected]> >> wrote: >> >> > Ok I have checked the RFC3280 http://www.ietf.org/rfc/rfc3280.txt which >> > defined the algorithm implemented by the SUN provider. >> > So we have a certificate path and a TrustAnchors which must respect the >> > following constraints: >> > >> > (a) for all x in {1, ..., n-1}, the subject of certificate x is >> > the issuer of certificate x+1; >> > *(b) certificate 1 is issued by the trust anchor;* >> > (c) certificate n is the certificate to be validated; and >> > >> > (d) for all x in {1, ..., n}, the certificate was valid at the >> > time in question. >> > >> > The problem is the point b. I have noticed that in the certificate >> path I >> > have the Intermediate CA as certificate 1 and the client certificate as >> > certificate 2. In my trust anchor set I got the Intermediate CA. >> > The problem is that as , the Intermediate CA is not self-signed, b is >> not >> > true. >> > While debugging the Merlin classe I have removed the Intermediate CA >> from >> > the path and then everything works fine. I'm using WSS4J 2.0.4 and don't >> > know if there is a way to fix this by a configuration or a bug(not sure >> > it's one) fix ? >> > Best Regards, >> > Claude >> > >> > >> > >> > 2016-09-29 15:31 GMT+02:00 Claude Libois <[email protected]>: >> > >> > > With the debug info I get: >> > > certpath: PKIXCertPathValidator.engineValidate()... >> > > certpath: AdaptableX509CertSelector.match: subject key IDs don't >> match. >> > > *Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, >> > -80, >> > > 81, -87, 81, -36, 108, -3, -6, 28] * >> > > >> > > *Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, >> 99, >> > > -87, -122, -61, -48, -111, -30, -80, 80, -99]* >> > > *certpath: NO - don't try this trustedCert* >> > > >> > > The first one(Expected) is the root CA and the second one(Cert's) is >> the >> > > intermediate CA. >> > > So it expect that both key identifier are same. I guess to check if >> it's >> > a >> > > self-signed ? >> > > BTW I'm using java 8. >> > > Best Regards, >> > > Claude >> > > >> > > 2016-09-29 15:02 GMT+02:00 Claude Libois <[email protected]>: >> > > >> > >> Well unfortunately that doesn't work. I have debug till Merlin crypto >> > >> java file and saw that everything looks fine(chain path to check with >> > >> client cert+intermediate CA and trust anchor on intermediate CA). >> > However >> > >> the validator seems to have a problem with this and since it's sun >> code >> > >> it's a bit harder to find why. >> > >> * if (provider == null || provider.length() == 0) {* >> > >> * validator = CertPathValidator.getInstance("PKIX");* >> > >> * } else {* >> > >> * validator = CertPathValidator.getInstance("PKIX", >> > >> provider);* >> > >> * }* >> > >> * validator.validate(path, param);* >> > >> I have decompiled some classe but can't debug since it's part of >> rt.jar. >> > >> I have enable the *-Djava.security.debug* and hope I will get >> usefull >> > >> info... >> > >> Claude >> > >> >> > >> 2016-09-29 14:07 GMT+02:00 Jose María Zaragoza <[email protected] >> >: >> > >> >> > >>> 2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>: >> > >>> > Hello, >> > >>> > This problem might be more related to how java validate >> certificate >> > >>> but I >> > >>> > give a try here. >> > >>> > My client certificate chain is Root CA>Intermediate CA> client >> Cert. >> > >>> > I wish to only trust certificate coming from Intermediate CA and >> not >> > >>> the >> > >>> > Root CA. >> > >>> > However, I have noticed that the PKI validator(which is the >> default >> > >>> one) >> > >>> > called by the Merlin failed to validate : >> > >>> > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: >> > >>> Error >> > >>> > during certificate path validation: Path does not chain with any >> of >> > the >> > >>> > trust anchors* >> > >>> > * at >> > >>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >> > >>> y.java:160)* >> > >>> > * at com.sun.proxy.$Proxy34.submit(Unknown Source)* >> > >>> > * at >> > >>> > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSi >> > >>> gning.java:87)* >> > >>> > * at >> > >>> > client.OffresEmploiClientSigning.main(OffresEmploiClientSign >> > >>> ing.java:65)* >> > >>> > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* >> > >>> > * at >> > >>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> > >>> ssorImpl.java:57)* >> > >>> > * at >> > >>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> > >>> thodAccessorImpl.java:43)* >> > >>> > * at java.lang.reflect.Method.invoke(Method.java:606)* >> > >>> > * at com.intellij.rt.execution.application.AppMain.main(AppMain.j >> > >>> ava:120)* >> > >>> > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during >> > >>> certificate >> > >>> > path validation: Path does not chain with any of the trust >> anchors* >> > >>> > * at >> > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >> > >>> ptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* >> > >>> > * at >> > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >> > >>> ptor.handleMessage(Soap11FaultInInterceptor.java:52)* >> > >>> > * at >> > >>> > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterce >> > >>> ptor.handleMessage(Soap11FaultInInterceptor.java:41)* >> > >>> > * at >> > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> > >>> InterceptorChain.java:307)* >> > >>> > * at >> > >>> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserv >> > >>> er.onMessage(AbstractFaultChainInitiatorObserver.java:113)* >> > >>> > * at >> > >>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto >> > >>> r.handleMessage(CheckFaultInterceptor.java:69)* >> > >>> > * at >> > >>> > org.apache.cxf.binding.soap.interceptor.CheckFaultIntercepto >> > >>> r.handleMessage(CheckFaultInterceptor.java:34)* >> > >>> > * at >> > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> > >>> InterceptorChain.java:307)* >> > >>> > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java >> > >>> :802)* >> > >>> > * at >> > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> > >>> m.handleResponseInternal(HTTPConduit.java:1645)* >> > >>> > * at >> > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> > >>> m.handleResponse(HTTPConduit.java:1533)* >> > >>> > * at >> > >>> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> > >>> m.close(HTTPConduit.java:1336)* >> > >>> > * at >> > >>> > org.apache.cxf.transport.AbstractConduit.close(AbstractCondu >> > >>> it.java:56)* >> > >>> > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit. >> > >>> java:652)* >> > >>> > * at >> > >>> > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageS >> > >>> enderEndingInterceptor.handleMessage(MessageSenderInterceptor.java: >> > 62)* >> > >>> > * at >> > >>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> > >>> InterceptorChain.java:307)* >> > >>> > * at org.apache.cxf.endpoint.ClientImpl.doInvoke( >> > ClientImpl.java:516)* >> > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >> 425)* >> > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >> 326)* >> > >>> > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >> 279)* >> > >>> > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.j >> > >>> ava:96)* >> > >>> > * at >> > >>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProx >> > >>> y.java:138)* >> > >>> > >> > >>> > Is there a way to configure validation to trust non-selfsigned CA >> ? >> > >>> >> > >>> I guess that if you import only the Intermediate CA cert into your >> JKS >> > >>> as trusted certificate , certificate path validation doesn't >> required >> > >>> any more. >> > >>> >> > >>> >> > >>> >> > >>> > Best Regards, >> > >>> > Claude >> > >>> >> > >> >> > >> >> > > >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
