Monday, May 30, 2011

CRL support in WSS4J 1.6.1

Support for Certificate Revocation Lists (CRLs) has been a long sought feature in WSS4J, and will arrive in the imminent release of WSS4J 1.6.1. This will ensure that the certificate used to validate a signature is not revoked by the issuing Certificate Authority.

Support for CRLs is covered by the task WSS-278. The default behaviour is that certificate revocation is not enabled for backwards compatibility reasons. Two parameters must be configured to enable certificate revocation. The first is that the WSHandlerConstants property "enableRevocation" must be set to "true", if WSS4J is being used in the context of WSHandler. If the handler architecture is not being used, then a new method has been added to the Crypto interface for signature trust validation which explicitly enables certificate revocation:
  • public boolean verifyTrust(X509Certificate[] certs, boolean enableRevocation) throws WSSecurityException;
The previous verifyTrust(certs) method has been deprecated. Please bear in mind that any custom Crypto implementation must be updated with the new method, or else you will face a compilation error on upgrading to WSS4J 1.6.1.

The second is that the Crypto instance that is used must be supplied with CRL information. This can be done in a number of different ways. The default Crypto instance that ships with WSS4J (Merlin), has a new configuration property:
  • org.apache.ws.security.crypto.merlin.x509crl.file: The location of an (X509) CRL file to be loaded via CertificateFactory.generateCRL(...).
Merlin also has two new accessor methods to set/get a CertStore object to be used for CRL checking (i.e. setCRLCertStore(CertStore crlCertStore)), if you wish to supply CRL information programatically to the Crypto instance.

Update: You can see a test for this feature here.

2 comments:

  1. Hi Colm,

    I was a bit thrown off by the implementation for CRL checking. My expectation was that once "enableRevocation" was set to true, that the crypto provider verifying the certificate would download the CRL from the CA based on the locations specified in the certificate CRL Distribution Points (CDP) extension.

    Is there an alternative to Merlin that provides this kind of functionality? If not, do you have any suggestions on how to best implement this functionality?

    ReplyDelete
  2. Hi,

    You can get the CRL Distribution Points from the certificate via something like:

    http://bouncy-castle.1462172.n4.nabble.com/Retrieving-CRL-distribution-point-from-X509-certificate-td1465367.html

    You could then override Merlin's verifyTrust method with this logic, retrieve the CRLs and add them to the certificate path validation:

    http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?view=markup

    Colm.

    ReplyDelete