Mike, you are right. The reason why we use the older version getSubjectDN() was, that the other method is not supported in Java 1.3 and it was (still is??) a requirement to have it available with JDK 1.3.
I'll have a look - as far as I can remember there was a specific method that took care of these differences. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Mike [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 26. Juli 2005 17:13 > An: [email protected] > Betreff: possible bug in Merlin > > > > Hi, > I'm having some problems trying to validate signatures by using the > issuer certificate. The issue appears to be with how certificates are > resolved based on their DN. The following errors show up > after turning > debugging on: > > [26/Jul/2005:10:41:30] No alias found for subject from issuer with > [EMAIL PROTECTED], CN=Adapt Project CA, > OU=ADAPT CA, > O=UMIACS, > L=College Park, ST=Maryland, C=US (serial 1048578) > [26/Jul/2005:10:41:30] No aliases found in keystore for issuer > [EMAIL PROTECTED], CN=Adapt Project CA, > OU=ADAPT CA, > O=UMIACS, L=Co > llege Park, ST=Maryland, C=US of certificate for > [EMAIL PROTECTED], CN=Pawn Client, OU=PAWN Client, > O=UMIACS, ST=Maryland, C=US > > > > When a cert comes in over the wire in > WSDoAllReceiver.verifyTrust calls > cert.getIssuerDN().getName() which returns a DN in the form of: > > [EMAIL PROTECTED], CN=Adapt Project CA, > OU=ADAPT CA, > O=UMIACS, L=College Park, ST=Maryland, C=US > > however when it tries to retrieve the corresponding certificate in > Merlin.getAliasesForDN by looping it calls getSubjectDN().getName() > while building a vector to compare. This however will return > > C=US,ST=Maryland,L=College Park,O=UMIACS,OU=ADAPT > CA,CN=Adapt Project > CA,[EMAIL PROTECTED] > > Calling getSubjectX500Principal().toString produces a > compatable DN, and > allows verification to work. > > [EMAIL PROTECTED], CN=Adapt Project CA, > OU=ADAPT CA, > O=UMIACS, L=College Park, ST=Maryland, C=US > > It looks like the problem is with how different providers handle the > EMAILADDRESS string. In the javadoc for X509Certificate it's > recommended > to use getSubjectX500Principal and getIssuerX500Principal rather than > the provider specifiv getSubjectDN and getIssuerDN. > > Index: src/org/apache/ws/security/components/crypto/Merlin.java > =================================================================== > RCS file: > /home/cvspublic/ws-wss4j/src/org/apache/ws/security/components > /crypto/Merlin.java,v > retrieving revision 1.24 > diff -r1.24 Merlin.java > 665c665,666 > < Vector foundRDN = > splitAndTrim(((X509Certificate) > cert).getSubjectDN().getName()); > --- > > //Vector foundRDN = > splitAndTrim(((X509Certificate) cert).getSubjectDN().getName()); > > Vector foundRDN = > splitAndTrim(((X509Certificate) > cert).getSubjectX500Principal().toString()); > > > > > -Mike >
