A valid CA certificate in my keystore throws an exception since the wss4j code is not properly parsing a valid certificate Merlin.java validateCertPath does: public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException { ... // Add certificates from the keystore Enumeration aliases = this.keystore.aliases(); while (aliases.hasMoreElements()) { String alias = (String) aliases.nextElement(); X509Certificate cert = (X509Certificate) this.keystore.getCertificate(alias); TrustAnchor anchor = new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID)); set.add(anchor); } ...
The issue is that cert.getExtensionValue bytes must be parsed prior to sending to TrustAnchor since it is valid to have the name constraints wrapped as an OCTET_STRING So the code should look like this: byte[] ba = cert.getExtensionValue(NAME_CONSTRAINTS_OID); if (ba != null && ba[0] == 0x04) // if ba is wrapped ba = ((org.bouncycastle.asn1.ANS1OctetString)org.bouncycastle.asn1.ASN1Object.fromByteArray(ba)).getOctets(); TrustAnchor anchor = new TrustAnchor(cert, ba); Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more. _________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1