|
Subject:
|
custom PKIXCertPathChecker (chap 7)
|
|
Posted By:
|
rayback_2
|
Post Date:
|
7/23/2008 5:43:34 AM
|
Hi
I implemented my own PKIXCertPathChecker which checks status of cert using OCSP and also some custom extensions. My Custom certpathchecker is stateful, and does not support ForwardChecking , since we need certificates passed to our checker starting from Trust ANchror and to target (end entity) certificate, as described in chapter 7
below is the output of certificate chain (1), certstore passed to PKIXParameters (2), certpath passed to PKIXParameters(3) and Trust Anchor used to construct PKIXParameters (4)
1)
***********************
printing certchain for CN=Sample User Certficate
CN=SubAdminCA2,O=EJBCA Sample,C=SE
CN=AdminCA1,O=EJBCA Sample,C=SE
***********************
2)
***********************
printing certs in certstore
CN=Sample User Certficate issuer is CN=SubAdminCA2,O=EJBCA Sample,C=SE
CN=AdminCA1,O=EJBCA Sample,C=SE issuer is CN=AdminCA1,O=EJBCA Sample,C=SE
CN=SubAdminCA2,O=EJBCA Sample,C=SE issuer is CN=AdminCA1,O=EJBCA Sample,C=SE
***********************
3)
***********************
printing certs in certpath
CN=Sample User Certficate issuer is CN=SubAdminCA2,O=EJBCA Sample,C=SE
CN=SubAdminCA2,O=EJBCA Sample,C=SE issuer is CN=AdminCA1,O=EJBCA Sample,C=SE
***********************
4)
***********************
printing trust anchor CN=AdminCA1,O=EJBCA Sample,C=SE
***********************
Inside check method of CustomCertPathChecker I print certificate passed as argument, and the only thing printed is
***********************
certificate prsented to pathcheckerCN=Sample User Certficate
***********************
so it seems as if the only certificate passed to CustomCertPathChecker is end entity certificate, I would assume from text that it should be AdminCA1 first, followed by SubAdminCA2 and last Sample User Certficate.
NOTE: I set setRevocationEnabled(false) on PKIXParameters , and add my customcertpathchecker through addCertPathChecker. CertPathValidator is constructed as CertPathValidator.getInstance("PKIX", "BC")
any advices would be greatly appreciated.
Sincerely
Ray
|
|
Reply By:
|
rayback_2
|
Reply Date:
|
7/23/2008 8:42:26 AM
|
Some extra info,
debugging reveals that constructor is called first, then called clone 4 times, then init, and lastly check is called with user certificate.
Alsi I explicitly specify provider as "BC" wherever appropriate (CertificateFactory.getInstance("X509", "BC"), CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), "BC"), CertPathValidator.getInstance("PKIX", "BC"))
Maybe it will give some clue
Sincerely
Ray
|
|
Reply By:
|
dgh
|
Reply Date:
|
7/23/2008 9:41:52 PM
|
You wouldn't expect the trust anchor to appear as it is assumed that the trust anchor the basis for the chain, if you imagine the CRL case you can see that the CRL for the trust anchor is against the intermediate certificates not the trust anchor itself.
With the checker only being called on the end entity, that has to be a bug. It appears it to have been introduced in 1.39 during the path checker rewrite. Try the provider at http://downloads.bouncycastle.org/betas - that should fix your problem.
Regards,
David
|
|
Reply By:
|
rayback_2
|
Reply Date:
|
7/24/2008 2:13:54 AM
|
Hi
Yes you are right about trust anchor.
So it was a filed bug with path checker, I will try beta in hope that it will be release soon.
Thanks alot
Sincerely
Ray
|
|
