Support for CRLs is covered by the task WSS-278. The default behaviour is that certificate revocation is not enabled for backwards compatibility reasons. Two parameters must be configured to enable certificate revocation. The first is that the WSHandlerConstants property "enableRevocation" must be set to "true", if WSS4J is being used in the context of WSHandler. If the handler architecture is not being used, then a new method has been added to the Crypto interface for signature trust validation which explicitly enables certificate revocation:
- public boolean verifyTrust(X509Certificate[] certs, boolean enableRevocation) throws WSSecurityException;
The second is that the Crypto instance that is used must be supplied with CRL information. This can be done in a number of different ways. The default Crypto instance that ships with WSS4J (Merlin), has a new configuration property:
- org.apache.ws.security.crypto.merlin.x509crl.file: The location of an (X509) CRL file to be loaded via CertificateFactory.generateCRL(...).
Update: You can see a test for this feature here.
Hi Colm,
ReplyDeleteI was a bit thrown off by the implementation for CRL checking. My expectation was that once "enableRevocation" was set to true, that the crypto provider verifying the certificate would download the CRL from the CA based on the locations specified in the certificate CRL Distribution Points (CDP) extension.
Is there an alternative to Merlin that provides this kind of functionality? If not, do you have any suggestions on how to best implement this functionality?
Hi,
ReplyDeleteYou can get the CRL Distribution Points from the certificate via something like:
http://bouncy-castle.1462172.n4.nabble.com/Retrieving-CRL-distribution-point-from-X509-certificate-td1465367.html
You could then override Merlin's verifyTrust method with this logic, retrieve the CRLs and add them to the certificate path validation:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?view=markup
Colm.