Certificate validation against multiple certificate chain

Hello everyone,
I would like to have your opinion on a specific use case of the java.security.cert API.
I've a set of trusted certificate chains provided in a trusted way by a CA. An example of a chain would be: R->I1->I2, R being a root certificate and I1/I2 being intermediates CAs.
I receive messages from some untrusted sources. These message are signed using some end-user certificate, let's call it U. The certificate U is only transmitted along the message (ie. it's not available from a trusted source).
Verifying the validity of the signed message is therefore a two step process:
- Check that the signature made by U is valid.
- Check that a valid certificate path could be build from U (querying a CRL if needed) back to a trusted anchor, such as R->I1->I2->U.
Now, my question is, how to efficiently achieve the latter one with the java.security.cert API?
The most straightforward way i've found so far to validate a certificate against a set of certificate chain is to use the CertPathBuilder interface:
1) I build a CertStore (of type "Collection") with all my trusted certificate chain in it.
2) I add the received U certificate to the store.
3) I try to build a certificate path specifying "U" as the target certificate in the search constraints (X509CertSelector).
If the algorithm find a valid path, it returns it, and U could possibly be kept in the store for future use.
If no valid path could be deduced, U is removed from the store, and a corresponding error is returned.
This sounds like a good way of doing ?
All suggestions are most welcome,
Thanks,
M. H.

Ok, I think I've found my solution.
Actually, if you specify a target certificate using the X509CertSelector.setCertificate methode, the said certificate don't have to be in a CertStore in order to perform the validation:
// the 'store' variable contains only the trusted certificate chains.
CertStore store = CertStore.getInstance("Collection",
          new CollectionCertStoreParameters(certCol));
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector targetConstraints = new X509CertSelector();
targetConstraints.setCertificate(userCertificate);
PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
params.addCertStore(store);
/* params.setRevocationEnabled(false); */ // If needed.
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params);
CertPath path = result.getCertPath();This is it, on validation, the "path" variable will contains the complete certificate chain including the tested certificate.
I've still a problem with OCSP validations though, but i'll create a new topic for that...
Thank you for your time, ejp,
++
Edited by: marc_h on May 14, 2010 5:54 AM

Similar Messages

  • NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

    We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.
    When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.
    I did a packet capture of a machine that was experiencing the problem.
    The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)
    If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.
    Has anybody else experienced this? Any ideas?

    Faisal,
    I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.
    I decided to span a port a MAC was connected to and performed another capture.
    Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.
    I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.
    The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"
    When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.
    I changed the filter to just "ends with verisign.com" and it worked 95% of the time.
    Why only 95%?
    One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.
    No problems now.
    Later!
    Bob

  • Any way to bypass server certificate validation in AIR client?

    Is there any way to bypass certificate validation and server identification for secure Channels or ChannelSets? I am aware of the existing workaround to import my own certificate into the user's CA chain, but I feel that having greater control on the client-side is preferred.
    If there is not a way to bypass client-side certificate validation I will be filing this as a feature request at http://bugs.adobe.com
    Thanks,
    Karl
    When producing a client-server solution it is occasionally useful to override the default behavior of HTTPS certificate validation and server identification. I would like to request the ability to override these systems in the AIR environment for applications installed with the "UNRESTRICTED" system access option.
    Simply allowing the use of self-signed certificates without verification (perhaps signified by a secure protocol identifier other than "https") would provide adequate functionality, but some users may desire finer control.
    This issue is partly addressed by bugs FP-711 and FP-214 but I feel it is important that any enhancement include the BlazeDS Channel in the case that the AIR application has unrestricted system access.
    When deploying an AIR client application which is securely connected to a network appliance which is controlled by the same developer it is desirable to bypass the overhead of acquiring a PKI issued certificate for every customer. Independent, open-source, and not-for-profit developers could see increased ability to adopt the AIR platform with this improvement.
    When deploying a network appliance to be used with an AIR application the requirement for a PKI issued certificate complicates the deployment of the network appliance by requiring DNS access, and thereby requiring Internet connectivity. Some customer sites require network isolation.
    It is possible to generate a developer-specific certificate and import that certificate into the AIR client host's Trusted Root Certification Authorities list. This workaround deteriorates PKI best practices and complicates the installation of AIR software. It is not possible to depend solely on the ".air" packaging for installation with the added requirement to install a new CA on the user's host.
    Java provides the requested functionality by allowing developers to provide their own implementations of javax.net.ssl.TrustManager for verification and javax.net.ssl.HostnameVerifier for identification. We have used this technique to communicate over the SDEE protocol with Cisco IDS devices which do not usually have PKI issued certificates.

    Hi Robert,
    No specific option to controle TOP/First features use.
    However other options exist to control IQ resources.
    Eg. Query_temp_sopace_limit, Query_Time, Max_IQ_Threads_Per_Connection, Max_Cartesian_Result.
    Regards,
    Tayeb.

  • Multiple Certificates for the same WLS

    Hi,
    IHAC who asks the following:
    Background
    Bigshop Limited carried out a soft launch of our e-tailing website under
    the
    url fonzie.bigshop.com.au
    We have a verisign certificate setup up for 128 bit ssl under the
    knownname
    fonzie.bigshop.com.au
    All ssl connections that connect to the site with this url are able to
    establish an SSL session.
    Current Issue
    Bigshop is now in the process of carrying out the public launch of the
    website. The public url for the website will be www.bigshop.com.au
    We have generated new public/private key pair and a Certificate Signing
    Request (CSR) and have ordered a new certificate from verisign
    Could you please advise if it is possible to operate two certificates
    for
    the one server. This will allow our www.bigshop.com.au and
    fonzie.bigshop.com.au url's to operate concurrently and enable both to
    establish SSL session with valid certificates.
    Is what they want to do possible ?? any suggestions
    appreciated,
    regards,
         Patrick.

    Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
    In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
    one certificate per server.
    -utpal

  • Multiple certificate stored in Browser

    I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
    eg. with these User DN:
    => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
    => cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
    => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
    By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
    When visit my secure web using Internet Explorer 6, a window raised and lists these
    "users"
    "users"
    "users"
    By using Netscape Navigator 7.1: a window appear with a bit more information display
    "users's myOrganisation"
    "users's myOrganisation"
    "users's myOrganisation"
    and some explanation eg
    Issued to:
    Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
    Serial Number: 1C
    Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
    Issued by:
    Subject: CN=MyCcertificate Authority,...
    How to display USER NAME (according to CN) in the list instead of "users" ?
    or this is the expected behaviour?
    TIA,
    ferry

    Ok. I've found the solution.
    For reference to all you guys:
    ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    cert = (X509Certificate)cf.generateCertificate(bais);

  • Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

    Hello,
    I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
    In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
    Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
    Any way to resolve this?
    Thanks,
    Steve

    You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
    an example (uses user/pass though, but same concept)
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • SSL certificate validation date

    Greetings,
    Why is it that on a SSL module, certificate validity dates are different when cheking
    "show crypto ca trustpoints" and
    "show ssl-proxy certificate-history" ?
    Doesn't the "certificate-history" show the current certificate as well the previously imported ones?
    Do we refere only to "show crypto ca trustpoints" to track certificate validity end date?
    SSL001#show crypto ca trustpoints testing123
    Certificate
    Subject:
    Name: testing123
    CN = testing123
    OU = Terms of use at http://www.verisign.com
    O = WWW
    L = WW
    ST = WW
    C = WW
    CRL Distribution Point:
    http://SVRIntl-crl.verisign.com/SVRIntl.crl
    Validity Date:
    start date: 00:00:00 UTC Apr 11 2006
    end date: 23:59:59 UTC Apr 10 2008
    renew date: 00:00:00 UTC Jan 1 1970
    Associated Trustpoints: testing123
    SSL001#show ssl-proxy certificate-history service proxyssl
    Record 132, Timestamp: 3w6d, 21:34:55 UTC May 23 2006
    Installed Service Certificate, Index 131
    Proxy Service: proxyssl, Trust Point: testing123
    Validity Start Time: 15:31:50 UTC Nov 15 2005
    End Time: 15:31:50 UTC Nov 15 2006
    Renew Time: 00:00:00 UTC Jan 1 1970
    Thanks

    To authenticate the SSL client, the SSL module verifies the following:
    * The certificate at one level is properly signed by the issuer at the next level.
    * At least one of the issuer certificates in the certificate chain is trusted by the SSL proxy service.
    * None of the certificates in the certificate chain is in the certificate revocation list (CRL) and rejected by any access control list (ACL).
    For verifying the SSL client certificates, the SSL module is configured with a list of trusted certificate authorities (certificate authority pool). The SSL module trusts only the certificates issued by the certificate authorities that you configure in the certificate authority pool.

  • Multiple certificates on Issuing CA server

    Hi,
    Due to errors multiple certificates were issued from Root CA server for SubCA. Although old certificate was revoked from Root, but I see 2 certificates on Issuing CA. Also, because of 2 certificates, 2 CRLs are getting published everytime for each. Although
    when I see web server certificate issued for IIS, it was signed by new certificate of Issuing CA. Also, in PKIview, I see CDP path for this CA with new CRL.
    But my questions is that how shall I remove old one from Issuing CA as I am not gettign that option. Also, in AD i see 2 certficaates published for that CA. Will that cause any issue.
    Thanks
    Neha Garg

    This is actually a normal state in PKI. When you renew a sub CA with a new key pair, ot will result in multiple CRL files.
    - there is no need to remove the previous subca cert
    - there is no need to revoke the previous subca cert (unless there are config or security issues)
    - make sure the AIA paths use %4 in the paths to keep separate versions
    - make sure that the CDP paths use %9 in the paths to keep separate versions
    - make sure you publish *all* versions of .crts and .crls to *all* publication points
    You need to leave all versions of the CA certs in play so that both current and previously issued certs can be validated
    Brian

  • A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

    We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
    Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

    cookies.squite answer is Today at 5:15 PM .
    New profile, same problem.
    We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
    Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
    (3) different virus scanners, no hard core problems.
    Suspect how I have something in Windows setup that no one else is using?

  • Certificate validation when server is the same machine as client

    Hi guys i realize this is the most talked question about jsse, the validation of local certificates.
    I found a 2001 o'reilly page where they explain what is jsse and gives a complete tutorial of it.
    It comes with a sample secure http server and browser, and when i try to connect to the server with that browser it bombs out with the "couldn't find trusted certificate"
    Having read some posts here and googled around i found out that this sometimes happens because the name on the signed certificate does not match the url accessed from the server.
    So, if the server and client is on the same machine (127.0.0.1) and my machine name is FJL, can someone explain me how should i run the keytool?
    This is what i have been using:
    keytool -genkey -keystore certs -keyalg rsa -alias espectro -storepass serverkspw -keypass serverpw
    The keytool then prompted me for information to put into the certificate. My answers are shown in bold.
    What is your first and last name?
    ��[Unknown]: francisco leon
    What is the name of your organizational unit?
    ��[Unknown]: licom
    What is the name of your organization?
    ��[Unknown]: la universidad del zulia
    What is the name of your City or Locality?
    ��[Unknown]: maracaibo
    What is the name of your State or Province?
    ��[Unknown]: zulia
    What is the two-letter country code for this unit?
    ��[Unknown]: VE
    Is <CN=francisco leon, OU=licom O=la universidad del zulia L=maracaibo ST=zulia, C=ve> correct?
    ��[no]: y
    the web server is found here http://www.onjava.com/pub/a/onjava/2001/05/03/java_security.html?page=1 to page=5 or so
    page=4 explains something:
    You may wonder what happens when you run SecureBrowser againstSecureServer. It doesn't work. That's because SecureBrowser won't acceptSecureServer's phony certificate. However, we can trick SecureBrowser into accepting SecureServer's certificate. Here's how:
    So i use the keytool again to do what it is suggested:
    keytool -export -keystore certs -alias espectro -file server.cer
    then:
    keytool -import -keystore jssecacerts -alias espectro -file server.cer
    the jssecacerts file is located on the dir where i did the keytool thing, so i copy it to c:\j2sdk1.4.1_02\jre\lib\security
    and finally i try to connect to the secure httpserver found on that url with the secure browser found there too and i get the "couldn't find trusted certificate"
    could someone please explain me how to fix it? the article is kind of old and lists some properties which i haven't been able to find, along with some .jar (the article is dated before java 1.4 was available) and maybe i am doing something wrong.
    Thanks in advance!

    Ok, indeed, when keytool asks me about my name, i tried it with my machine name and now it works.

  • Getting error while exporting certificate to OIF Certificate Validation

    Hi All,
    Currently I am working with Oracle identity federation 10.1.4.0.1. I am facing one problem while exporting certificate to Certificate Validation, the error I am getting after importing certificate at console is:
    ERROR - oracle.security.crypto.asn1.ASN1FormatException: Got tag 0 instead of 16.
    Write failed: Broken pipe
    But It doesn't displaying any error in webapge after exporting certificate.
    Any help in this regard really appreciated.
    Thanks,
    Iceman
    Edited by:OIF version included

    If the certificate is in text PEM format, please ensure that the actual certificate content is enclosed within:
    -----BEGIN CERTIFICATE-----
    MII................
    -----END CERTIFICATE-----
    Thats all. It should also not have the certificate in text. Just the content within those lines.
    Hope this helps.

  • Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?

    Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?
    Scenario: We have a few legacy certificates based on some legacy templates (2012 R2). Some belong to an old SubCA (2008 R2).
    I’ve can manually export them using certmgr mmc on the local machine to a single .p7b e.g.
    cert_backupNEW.p7b. But this is not a practical solution for me and I want to achieve this remotely via certutil or some other util that comes with Windows 7 machines.
    I’ve already worked out how to run a certutil command to add the certs back into the store e.g.
    certutil.exe -addstore -f my cert_backupNEW.p7b
    Is there a way to export multiple certs to a single backup cert, or is what I’m trying to do not possible with multiple certs?
    TC

    Something like this:
    $store = New-Object Security.Cryptography.X509Certificates.X509Store "my","localmachine"
    $store.Open("ReadOnly")
    Set-Content -Path exportedcerts.pfx -Value $store.Certificates.Export("pfx","password")
    $store.Close()
    note that this command will fail, if there are certificates with non-exportable keys. You cannot export certificates with non-exportable keys.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Cisco anyconnect 3.1 - Certificate Validation Failure.

    When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
    Prior to the test;
         On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
              * ASA identity certificate's have EKU attribute = Server Authentication,   Key Usage = Digital Signature, Key Encipherment.
         On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
              * Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
              * User Certificate's has EKU attribute = Client Authentication.
    As in the ASDM Logs, it almost work.
    In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
    Is there anyone could help.???
    Keshara from Sri Lanka.

    Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect. 

  • ORA-29024: Certificate validation failure when trying to redirect to https

    Hi, I was trying to redirect the page to another https website using utl_http.request,
    I configured Oracle wallet and import the certificate, and successfully to get the webpage content in sqlplus by
    select utl_http.request('https://<website>,null,<wallet>,<wallet password>) from dual,
    but when I trying to use the same way in a button process of Apex, the error ORA-29024: Certificate validation failure prompt.
    Anyone know what wrong with it?
    Thanks
    Vincent Pek

    Hi, Sorry, I found that after i reboot my laptop , it's working now.

  • Unable to check certificate validity online. check...

    please help me on this... m not able to load anything
    my phone is n73-1
    Personal details removed by a moderator. We kindly ask you not to share your personal contact details publicly on this forum.

    Nokia Symbian/S60 wrote:
    Unable to check certificate validity online.
    As this could temper your security, before you change those settings (or at least after you changed them), please, have a look at a detailed explanation …

Maybe you are looking for

  • How to rotate a page in a pdf document?

    Hi, I have a pdf file, the pages of which are upside-down. I want to rotate the page but I am not able to do this. I clicked the 'Rotate view' submenu in the 'View' menu. Nothing happens, the page remains as such. Can someone help please? I user Adob

  • IMovie 08 Import Crashes After a Few Minutes

    I recently upgraded to iMovie 08 on a iMAC G5 1.8mhz with Leopard. When I try to capture video to iMovie from my digital converter box it crashes after a few minutes, where as this never happened with iMovie 06 when it was running on my Tiger machine

  • How to merge 4 files with VBA

    I have 4 files that I want to automatically merge using Visual Basic for Applications Code. I've searched through this forum and it seems that first you open the first pdf with PDDoc and then you use PDDoc.InsertPages to add the 2nd PDF and so on. No

  • Function to be inserted into dba_source

    Hello Gurus, I have to update an existing function which is in dba_source how do I go about doing it. Please let me know Shiva

  • How can I handle the offline registration codes easily?

    After I've successfully installed my (purchased and paid) Photoshop CS6 on my "main computer", I wanted to install a copy on my computer at school, where I do not have internet connection (so I can use only one copy at a time). The offline registrati