[jira] Commented: (RAMPART-266) Rampart module fails validating signing certificate when security provider is Bouncy Castle

Tue, 13 Oct 2009 02:26:42 -0700 

    [ 
https://issues.apache.org/jira/browse/RAMPART-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12764985#action_12764985
 ] 

Detelin Yordanov commented on RAMPART-266:
------------------------------------------

I found a similar issue in wss4j 1.5.4, which has been fixed in 1.5.5: 
https://issues.apache.org/jira/browse/WSS-86 .
Could you try with wss4j 1.5.5 to see if the problem persists?

> Rampart module fails validating signing certificate when security provider is 
> Bouncy Castle
> -------------------------------------------------------------------------------------------
>
>                 Key: RAMPART-266
>                 URL: https://issues.apache.org/jira/browse/RAMPART-266
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.4
>            Reporter: Ricardo Tercero Lozano
>            Assignee: Ruchith Udayanga Fernando
>
> I found an error in class 'PolicyBasedResultsValidator', method 
> 'verifyTrust'. This method gets de subject and issuer from the certificate to 
> validate it.
>         String subjectString = cert.getSubjectDN().getName();
>         String issuerString = cert.getIssuerDN().getName();
>         BigInteger issuerSerial = cert.getSerialNumber();
> when using Bouncy Castle as security provider 'getSubjectDN' and 
> 'getIssuerDN' returns a DN String representation that can be different from 
> the one on the certificate (which is my case indeed).
> On bouncy castle devel list, they recommend using 'getSubjectX500Principal' 
> and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns 
> the values on the certificate, so matching could be right.
>        String subjectString = cert.getSubjectX500Principal().getName();
>         String issuerString = cert.getIssuerX500Principal().getName();
>         BigInteger issuerSerial = cert.getSerialNumber();
> A rampart configuration to use Bouncy Castle as provider could be:
> <ramp:signatureCrypto>
>     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>         <ramp:property 
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>         <ramp:property 
> name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
>         <ramp:property 
> name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
>         <ramp:property 
> name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>     </ramp:crypto>
> </ramp:signatureCrypto>
> This issue is probable related to RAMPART-226, as it is using IBM security 
> provider.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to