Issue in Merlin.java

Thu, 06 Dec 2007 13:14:35 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looking at trunk:

http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Merlin.java?view=markup

I see in public boolean validateCertPath(X509Certificate[] certs):

                X509Certificate cert = (X509Certificate) this.keystore
                        .getCertificate(alias);
                TrustAnchor anchor = new TrustAnchor(cert, cert
                        .getExtensionValue("NameConstraints"));

X509Certificate's getExtensionValue() method is expecting its parameter
to be an OID (see
http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)),
 but we are just passing a hardcoded string.  This should probably be
some constant that evaluates to "2.5.29.30".

The default provider's implementation does not throw an exception on
this, but other providers (notably BouncyCastle) may throw an
(unchecked) IllegalArgumentException.

Suggest something like:
+ protected static final String NAMECONSTRAINTS_OID="2.5.29.30";
...
            Enumeration cacertsAliases = this.cacerts.aliases();
            while (cacertsAliases.hasMoreElements()) {
                String alias = (String) cacertsAliases.nextElement();
                X509Certificate cert = (X509Certificate) this.cacerts
                        .getCertificate(alias);
                TrustAnchor anchor = new TrustAnchor(cert, cert
- -                        .getExtensionValue("NameConstraints"));
+                        .getExtensionValue(NAMECONSTRAINTS_OID));
                set.add(anchor);
            }

            // Add certificates from the keystore
            Enumeration aliases = this.keystore.aliases();
            while (aliases.hasMoreElements()) {
                String alias = (String) aliases.nextElement();
                X509Certificate cert = (X509Certificate) this.keystore
                        .getCertificate(alias);
                TrustAnchor anchor = new TrustAnchor(cert, cert
- -                        .getExtensionValue("NAMECONSTRAINTS_OID"));
+                        .getExtensionValue(NAMECONSTRAINTS_OID));
                set.add(anchor);
            }
Thanks,
PK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHWGZkI3yWRza6vCgRAt2pAKCDMB1BJ4F0Sq041gvksgVJVk5mNgCgoEGy
eKWkGn+e1IVsd5Lew/t99os=
=+nWz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to