[jira] Created: (RAMPART-266) Rampart module fails validating signing certificate when security provider is Bouncy Castle

Fri, 02 Oct 2009 03:39:52 -0700 

Rampart module fails validating signing certificate when security provider is 
Bouncy Castle
-------------------------------------------------------------------------------------------

                 Key: RAMPART-266
                 URL: https://issues.apache.org/jira/browse/RAMPART-266
             Project: Rampart
          Issue Type: Bug
          Components: rampart-core
    Affects Versions: 1.4
            Reporter: Ricardo Tercero Lozano
            Assignee: Ruchith Udayanga Fernando



I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. 
This method gets de subject and issuer from the certificate to validate it.

        String subjectString = cert.getSubjectDN().getName();
        String issuerString = cert.getIssuerDN().getName();
        BigInteger issuerSerial = cert.getSerialNumber();

when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' 
returns a DN String representation that can be different from the one on the 
certificate (which is my case indeed).

On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 
'getIssuerX500Principal' instead of 'DN' methods. These methods returns the 
values on the certificate, so matching could be right.

       String subjectString = cert.getSubjectX500Principal().getName();
        String issuerString = cert.getIssuerX500Principal().getName();
        BigInteger issuerSerial = cert.getSerialNumber();


A rampart configuration to use Bouncy Castle as provider could be:

<ramp:signatureCrypto>
    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
        <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
        <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
        <ramp:property 
name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
        <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
    </ramp:crypto>
</ramp:signatureCrypto>


This issue is probable related to RAMPART-226, as it is using IBM security 
provider.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to