Hi,
I am testing OCSP together with a CXF WS consumer. I am addressing my own trust store in the http conduit. I created my own CA and a certificate (localhost) holding the location url of the validation service (on my computer). The scenario is CXF->https://localhost->CXF. OCSP is supported by the JDK since Java 5. So I expected no problems. But when sending messages the validation url is not called to check the certificate and no error occurs. I did a lot of experiments and found out that it works when I set the trust store using the system property javax.net.ssl.trustStore instead of the conduit. I tried to debug the problem and found that com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl provides two classes: PKIXFactory and SimpleFactory. When PKIXFactory was instantiated then it worked (verifier was called), using SimpleFactory it did not work. I could even change the algorithm in the debugger from 'simple' to 'PKIX' and then it worked. But I was unable figure out when and why 'PKIX' or 'simple' is set. I came to the class javax.net.ssl.TrustManagerFactory->getDefaultAlgorithm() that seems to return the value somehow. But finally I got stuck. The problem seems to be caused by the method how CXF provides the trust store for ssl communication.
I can provide two simple tests that demonstrate the problem and should run on any local environment. One using the system property that fails due to the missing validation service (verified by the ssl debug trace) and one using the conduit that is always successful because no validation is called. Both use the same certificate/trust store.
Best Regards,
Jörg
I am testing OCSP together with a CXF WS consumer. I am addressing my own trust store in the http conduit. I created my own CA and a certificate (localhost) holding the location url of the validation service (on my computer). The scenario is CXF->https://localhost->CXF. OCSP is supported by the JDK since Java 5. So I expected no problems. But when sending messages the validation url is not called to check the certificate and no error occurs. I did a lot of experiments and found out that it works when I set the trust store using the system property javax.net.ssl.trustStore instead of the conduit. I tried to debug the problem and found that com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl provides two classes: PKIXFactory and SimpleFactory. When PKIXFactory was instantiated then it worked (verifier was called), using SimpleFactory it did not work. I could even change the algorithm in the debugger from 'simple' to 'PKIX' and then it worked. But I was unable figure out when and why 'PKIX' or 'simple' is set. I came to the class javax.net.ssl.TrustManagerFactory->getDefaultAlgorithm() that seems to return the value somehow. But finally I got stuck. The problem seems to be caused by the method how CXF provides the trust store for ssl communication.
I can provide two simple tests that demonstrate the problem and should run on any local environment. One using the system property that fails due to the missing validation service (verified by the ssl debug trace) and one using the conduit that is always successful because no validation is called. Both use the same certificate/trust store.
Best Regards,
Jörg