Alas, No extra debugging information appeared for me with the
-Djavax.net.debug=ssl:handshake.
I still get
WARN http-8443-Processor25 gov.sensornet.security.X509Realm - Check OCSP
Credentials: CertPathValidatorException:
java.security.cert.CertPathValidatorException: javax.net.ssl.SSLException:
java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
must be non-empty
What I am trying to do is to create a custom Realm that checks a user's PKI
certificate for revocation. I have looked at the Tomcat (5.5) source, and so
far as I can tell, Tomcat's certificate realms only check that the certificate
was signed by a trusted CA and is valid today.
With some code from Sun, I can properly check OCSP revocation in a servlet
filter. But when I try to move the same code to a custom Realm, I get the above
error.
The code is as follows:
// ---------------------------------------------------------------------
// METHOD: enableOSCP() -
/***************************************************************************
* Enable OCSP certificate checking. This initializes the appropriate
* parameters to enable OCSP.
*/
private void enableOCSP() {
TrustAnchor caAnchor = new TrustAnchor(CACert, null);
Set<TrustAnchor> trustedCertsSet = new HashSet<TrustAnchor>();
trustedCertsSet.add(caAnchor);
// init cert store
Set<X509Certificate> certSet = new HashSet<X509Certificate>();
certSet.add(OCSPCert);
try {
CertStoreParameters storeParams = new
CollectionCertStoreParameters(
certSet);
CertStore store = CertStore.getInstance("Collection",
storeParams);
// init PKIX parameters
params = new PKIXParameters(trustedCertsSet);
params.addCertStore(store);
params.setRevocationEnabled(true);
System.setProperty("javax.net.ssl.trustStoreType",
"JKS");
System.setProperty("javax.net.ssl.trustStore",
"/usr/share/jboss/Certificates/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword","mypassword");
// enable OCSP
java.security.Security.setProperty("ocsp.enable",
"true");
java.security.Security.setProperty("ocsp.responderURL",
OCSPURL);
java.security.Security.setProperty("ocsp.responderCertSubjectName",
OCSPCert.getSubjectX500Principal().getName());
log.debug("ocsp.responder=" +
java.security.Security.getProperty("ocsp.responderCertSubjectName"));
} catch (Exception ex) {
log.warn("Error enabling OCSP: " + ex);
}
}
Then in X509Realm.authenticate(), I do:
// --------------------------------------------------------- Public Methods
/**
* Return the Principal associated with the specified chain of X509
* client certificates. If there is none, return <code>null</code>.
*
* @param certs Array of client certificates, with the first one in
* the array being the certificate of the client itself.
*/
public Principal authenticate(X509Certificate certs[]) {
System.out.println("In Certificate authenticate");
log.debug("In authenticate");
if ((certs == null) || (certs.length < 1))
return (null);
// Check the validity of each certificate in the chain
if (log.isDebugEnabled())
log.debug("Authenticating client certificate chain");
if (validate) {
for (int i = 0; i < certs.length; i++) {
if (log.isDebugEnabled())
log.debug(" Checking validity for '" +
certs[i].getSubjectDN().getName() + "'");
try {
certs[i].checkValidity();
} catch (CertificateExpiredException cee) {
log.warn(STATUS_EXPIRED);
return (null);
} catch (CertificateNotYetValidException cnyve) {
log.warn(STATUS_NOT_YET_VALID);
return (null);
}
}
// Verify that we signed the presented certificate
// log.debug(CAPubKey.toString());
log.debug("UserDN=" + certs[0].getSubjectDN());
try {
certs[0].verify(CAPubKey);
} catch (CertificateException ce) {
log.warn(STATUS_BAD_ENCODING);
return (null);
} catch (NoSuchAlgorithmException nsa) {
log.warn(STATUS_NSA);
return (null);
} catch (InvalidKeyException ivk) {
log.warn(STATUS_INVALID_KEY);
return (null);
} catch (NoSuchProviderException nsp) {
log.warn(STATUS_NSP);
return (null);
} catch (SignatureException se) {
log.warn(STATUS_BAD_SIGNATURE);
return (null);
}
// Passed verification test.
// Now check to see if it was revoked
// Check the OCSP server for revocation
enableOCSP();
log.debug("ocsp.responderURL=" +
Security.getProperty("ocsp.responderURL"));
log.debug("ocsp.responderCertSubjectName=" +
Security.getProperty("ocsp.responderCertSubjectName"));
log.debug("Start params " + this.toString() +"\n"
+params.toString());
log.debug("End params");
try {
CertPath cp = null;
Vector<X509Certificate> vcerts = new
Vector<X509Certificate>();
vcerts.add(certs[0]);
// init cert path
CertificateFactory cf =
CertificateFactory.getInstance("X509");
cp = (CertPath) cf.generateCertPath(vcerts);
log.debug("CertPath=" + cp.toString());
log.debug(params.getTrustAnchors().toString());
Iterator it = params.getCertStores().iterator();
while(it.hasNext()) {
log.debug("CertStore=" + it.next().toString());
}
CertPathValidator cpv =
CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult cpv_result
= (PKIXCertPathValidatorResult) cpv.validate(cp,
params);
log.debug("cpv_result=" + cpv_result.toString());
X509Certificate trustedCert = (X509Certificate)
cpv_result
.getTrustAnchor().getTrustedCert();
if (trustedCert == null) {
log.warn("Trusted Cert = NULL");
}
} catch (CertPathValidatorException e) {
CertPath cp = e.getCertPath();
int ind = e.getIndex();
log.warn("Check OCSP Credentials:
CertPathValidatorException: " + e);
log.warn("Cert Path=" + cp.toString() + " index=" +
ind);
return (null);
} catch (CertificateException e) {
log.warn("CertificateException: " + e);
return (null);
} catch (NoSuchAlgorithmException e) {
log.warn("NoSuchAlgorithmException: " + e);
return (null);
} catch (InvalidAlgorithmParameterException e) {
log.warn("InvalidAlgorithmParameterException: " + e);
return (null);
}
} // End of validate
// Check the existence of the client Principal in our database
Principal subject = certs[0].getSubjectDN();
return (subject);
}
I print out the PKIX parameters, and my CA certufucate is in there. So what can
be different about running this in a Tomcat Realm vs a Tomcat filter?
Thanks,
Jim
------------------------------
You want to put this in the Java tab under Java Options.
Best regards
Robert.
-----Original Message-----
From: James Rome [mailto:[EMAIL PROTECTED]
Sent: 17 October 2005 16:00
To: [email protected]
Subject: SSL Error : Please HELP
I tried putting
start -Djavax.net.debug=ssl:handshake
in the Windows 5.5 GUI startup tab under arguments and Tomcat will not start
How does one get this to work?
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
