[
https://issues.apache.org/jira/browse/WSS-225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-225.
-------------------------------------
Resolution: Fixed
Fixed. If possible, could you test a SNAPSHOT?
Colm.
> 'Unprintable' characters in Distinguished Name causing comparison failure
> -------------------------------------------------------------------------
>
> Key: WSS-225
> URL: https://issues.apache.org/jira/browse/WSS-225
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: XP, Java 1.6
> Reporter: Tom Trader
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
>
> Certain characters used in elements of a DN are considered unprintable as per
> RFC2252. The underscore '_' character is one of these characters.
> If the certificate is read from a java key store, and using the
> ((X509Certificate) cert).getSubjectX500Principal() to obtain the
> X500Principal, and doing a getName(X500Principal.CANONICAL) on it I find that
> its common name has been hex encoded as follows:
> cn=#14076d795f74657374
> In the getAlias method of org.apache.ws.security.components.crypto.CryptoBase
> the equal method of X500Principal is used to compare certificates in a trust
> store against a given DN.
> The canonical form of the DN is used in this comparison.
> The problem is that the given DN X500Prinicpal object is created using the
> X500Principal(String DN) constructor. This object results in a canonical name
> that is not encoded. So the equal comparison fails as the cert from the
> keystore is encoded and the given one isn't.
> Here's a suggested change that overcomes this problem:
> private Vector getAlias(X500Principal subjectRDN, KeyStore store) throws
> WSSecurityException {
> // Store the aliases found
> Vector aliases = new Vector();
> Certificate cert = null;
>
> try {
> for (Enumeration e = store.aliases(); e.hasMoreElements();) {
> String alias = (String) e.nextElement();
> Certificate[] certs = store.getCertificateChain(alias);
> if (certs == null || certs.length == 0) {
> // no cert chain, so lets check if getCertificate gives
> us a result.
> cert = store.getCertificate(alias);
> if (cert == null) {
> return null;
> }
> certs = new Certificate[]{cert};
> } else {
> cert = certs[0];
> }
> if (cert instanceof X509Certificate) {
> X500Principal foundRDN = ((X509Certificate)
> cert).getSubjectX500Principal();
> X500Principal foundRDNUnencoded = new
> X500Principal(foundRDN.getName(X500Principal.RFC1779));
> if (subjectRDN.equals(foundRDNUnencoded)) {
> aliases.add(alias);
> }
> }
> }
> } catch (KeyStoreException e) {
> throw new WSSecurityException(
> WSSecurityException.FAILURE, "keystore", null, e
> );
> }
> return aliases;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
