Hi,
Can you create a JIRA and submit a patch for this? Preferably with a
test-case :-)
One problem with your suggested solution is that BouncyCastle is a
strictly optional dependency...see how CryptoBase.java handles this.
Colm.
On Fri, Jul 16, 2010 at 5:44 AM, <bigg...@hotmail.com> wrote:
> A valid CA certificate in my keystore throws an exception since the wss4j
> code is not properly parsing a valid certificate
>
> Merlin.java
> validateCertPath
>
> does:
> public boolean validateCertPath(X509Certificate[] certs) throws
> WSSecurityException {
> ...
> // Add certificates from the keystore
> Enumeration aliases = this.keystore.aliases();
> while (aliases.hasMoreElements()) {
> String alias = (String) aliases.nextElement();
> X509Certificate cert =
> (X509Certificate) this.keystore.getCertificate(alias);
> TrustAnchor anchor =
> new TrustAnchor(cert,
> cert.getExtensionValue(NAME_CONSTRAINTS_OID));
> set.add(anchor);
> }
> ...
>
> The issue is that cert.getExtensionValue bytes must be parsed prior to
> sending to TrustAnchor since it is valid to have the name constraints
> wrapped as an OCTET_STRING
>
> So the code should look like this:
>
> byte[] ba = cert.getExtensionValue(NAME_CONSTRAINTS_OID);
> if (ba != null && ba[0] == 0x04) // if ba is wrapped
> ba =
> ((org.bouncycastle.asn1.ANS1OctetString)org.bouncycastle.asn1.ASN1Object.fromByteArray(ba)).getOctets();
> TrustAnchor anchor = new TrustAnchor(cert, ba);
> ________________________________
> Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
> Learn more.
> ________________________________
> Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
> Learn more.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscr...@ws.apache.org
For additional commands, e-mail: wss4j-dev-h...@ws.apache.org
