Does the message contain the truncated Issuer Name? If so the error is on the outbound side (which I assume is also WSS4J). WSS4J 1.5.x uses the XMLX509IssuerSerial class in Santuario 1.4.x to constuct the Issuer name, which calls the now denigrated getIssuerDN:
https://svn.apache.org/repos/asf/santuario/xml-security-java/branches/1.4.x-fixes/src/org/apache/xml/security/keys/content/x509/XMLX509IssuerSerial.java You could check to see if the following code results in the truncated String: RFC2253Parser.normalize(x509certificate.getIssuerDN().getName()); A workaround is simply to use another way of referencing the certificate on the client side, such as ThumbprintSHA1. I strongly encourage you to upgrade to the latest WSS4J 1.6.x release, where this bug should be fixed. Colm. On Wed, Sep 19, 2012 at 10:24 PM, Bennett III, James William < [email protected]> wrote: > Hello everyone,**** > > ** ** > > I work with an application which uses WSS4j version 1.5.11 and we get an > exception fairly regularly which seems to truncate the end of the issuer > name when it signs a request. We end up seeing these exceptions thrown on > the server when we make a web service call:**** > > ** ** > > java.lang.IllegalArgumentException: improperly specified input name: > CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,**** > > at > javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)**** > > at > javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)**** > > at > org.apache.ws.security.components.crypto.CryptoBase.createBCX509Name(CryptoBase.java:283) > **** > > at > org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:335) > **** > > at > org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:300) > **** > > at > org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:562) > **** > > at > org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:541) > **** > > at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:377) > **** > > at > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:116) > **** > > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328) > **** > > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245) > **** > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:219) > **** > > at > org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:93) > **** > > at > org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:41) > **** > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > **** > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > **** > > at > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:102) > **** > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464) > **** > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188) > **** > > at > org.kuali.rice.ksb.messaging.servlet.CXFServletControllerAdapter.handleRequest(CXFServletControllerAdapter.java:47) > **** > > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > **** > > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900) > **** > > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827) > **** > > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882) > **** > > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789) > **** > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)*** > * > > at > org.kuali.rice.ksb.messaging.servlet.KSBDispatcherServlet.service(KSBDispatcherServlet.java:138) > **** > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)*** > * > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > **** > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > **** > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > **** > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > **** > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > **** > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > **** > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > **** > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)* > *** > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > **** > > at > org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219) > **** > > at > org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333) > **** > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > **** > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > **** > > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > **** > > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > **** > > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > **** > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > **** > > at java.lang.Thread.run(Thread.java:662)**** > > Caused by: java.io.IOException: empty AVA in RDN ""**** > > at sun.security.x509.RDN.<init>(RDN.java:132)**** > > at sun.security.x509.X500Name.parseDN(X500Name.java:918)**** > > at sun.security.x509.X500Name.<init>(X500Name.java:148)**** > > at > javax.security.auth.x500.X500Principal.<init>(X500Principal.java:148)**** > > ... 45 more**** > > ** ** > > I checked the keystore and the issuer name is “CN=Foo > Bar,OU=Baz,O=Org,L=City,ST=IN,C=US” so it appears that it is truncating the > country off of the end but not removing the last comma which causes the > name to be invalid. Has anyone seen anything like this before? If there’s > any other information I can provide please let me know.**** > > ** ** > > Thanks,**** > > James **** > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
