'Unprintable' characters in Distinguished Name causing comparison failure
-------------------------------------------------------------------------
Key: WSS-225
URL: https://issues.apache.org/jira/browse/WSS-225
Project: WSS4J
Issue Type: Bug
Affects Versions: 1.5.8
Environment: XP, Java 1.6
Reporter: Tom Trader
Assignee: Ruchith Udayanga Fernando
Certain characters used in elements of a DN are considered unprintable as per
RFC2252. The underscore '_' character is one of these characters.
If the certificate is read from a java key store, and using the
((X509Certificate) cert).getSubjectX500Principal() to obtain the X500Principal,
and doing a getName(X500Principal.CANONICAL) on it I find that its common name
has been hex encoded as follows:
cn=#14076d795f74657374
In the getAlias method of org.apache.ws.security.components.crypto.CryptoBase
the equal method of X500Principal is used to compare certificates in a trust
store against a given DN.
The canonical form of the DN is used in this comparison.
The problem is that the given DN X500Prinicpal object is created using the
X500Principal(String DN) constructor. This object results in a canonical name
that is not encoded. So the equal comparison fails as the cert from the
keystore is encoded and the given one isn't.
Here's a suggested change that overcomes this problem:
private Vector getAlias(X500Principal subjectRDN, KeyStore store) throws
WSSecurityException {
// Store the aliases found
Vector aliases = new Vector();
Certificate cert = null;
try {
for (Enumeration e = store.aliases(); e.hasMoreElements();) {
String alias = (String) e.nextElement();
Certificate[] certs = store.getCertificateChain(alias);
if (certs == null || certs.length == 0) {
// no cert chain, so lets check if getCertificate gives us
a result.
cert = store.getCertificate(alias);
if (cert == null) {
return null;
}
certs = new Certificate[]{cert};
} else {
cert = certs[0];
}
if (cert instanceof X509Certificate) {
X500Principal foundRDN = ((X509Certificate)
cert).getSubjectX500Principal();
X500Principal foundRDNUnencoded = new
X500Principal(foundRDN.getName(X500Principal.RFC1779));
if (subjectRDN.equals(foundRDNUnencoded)) {
aliases.add(alias);
}
}
}
} catch (KeyStoreException e) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "keystore", null, e
);
}
return aliases;
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
