ws-fx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <werner.dittm...@siemens.com>
Subject AW: possible bug in Merlin
Date Tue, 26 Jul 2005 15:36:50 GMT
Mike,

you are right. The reason why we use the older version
getSubjectDN() was, that the other method is not
supported in Java 1.3 and it was (still is??) a requirement
to have it available with JDK 1.3. 

I'll have a look - as far as I can remember there was a
specific method that took care of these differences.

Regards,
Werner

> -----Urspr√ľngliche Nachricht-----
> Von: Mike [mailto:toaster@umiacs.umd.edu] 
> Gesendet: Dienstag, 26. Juli 2005 17:13
> An: fx-dev@ws.apache.org
> Betreff: possible bug in Merlin
> 
> 
> 
> Hi,
>   I'm having some problems trying to validate signatures by using the 
> issuer certificate. The issue appears to be with how certificates are 
> resolved based on their DN. The following errors show up 
> after turning 
> debugging on:
> 
> [26/Jul/2005:10:41:30] No alias found for subject from issuer with 
> EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, 
> OU=ADAPT CA, 
> O=UMIACS,
> L=College Park, ST=Maryland, C=US (serial 1048578)
> [26/Jul/2005:10:41:30] No aliases found in keystore for issuer 
> EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, 
> OU=ADAPT CA, 
> O=UMIACS, L=Co
> llege Park, ST=Maryland, C=US of certificate for 
> EMAILADDRESS=toaster@umiacs.umd.edu, CN=Pawn Client, OU=PAWN Client, 
> O=UMIACS, ST=Maryland, C=US
> 
> 
> 
> When a cert comes in over the wire in 
> WSDoAllReceiver.verifyTrust calls 
> cert.getIssuerDN().getName() which returns a DN in the form of:
> 
>   EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, 
> OU=ADAPT CA, 
> O=UMIACS, L=College Park, ST=Maryland, C=US
> 
> however when it tries to retrieve the corresponding certificate in 
> Merlin.getAliasesForDN by looping it calls getSubjectDN().getName() 
> while building a vector to compare. This however will return
> 
>   C=US,ST=Maryland,L=College Park,O=UMIACS,OU=ADAPT 
> CA,CN=Adapt Project 
> CA,E=toaster@umiacs.umd.edu
> 
> Calling getSubjectX500Principal().toString produces a 
> compatable DN, and 
> allows verification to work.
> 
> EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, 
> OU=ADAPT CA, 
> O=UMIACS, L=College Park, ST=Maryland, C=US
> 
> It looks like the problem is with how different providers handle the 
> EMAILADDRESS string. In the javadoc for X509Certificate it's 
> recommended 
> to use getSubjectX500Principal and getIssuerX500Principal rather than 
> the provider specifiv getSubjectDN and getIssuerDN.
> 
> Index: src/org/apache/ws/security/components/crypto/Merlin.java
> ===================================================================
> RCS file: 
> /home/cvspublic/ws-wss4j/src/org/apache/ws/security/components
> /crypto/Merlin.java,v
> retrieving revision 1.24
> diff -r1.24 Merlin.java
> 665c665,666
> <                     Vector foundRDN = 
> splitAndTrim(((X509Certificate) 
> cert).getSubjectDN().getName());
> ---
>  >                     //Vector foundRDN = 
> splitAndTrim(((X509Certificate) cert).getSubjectDN().getName());
>  >                     Vector foundRDN = 
> splitAndTrim(((X509Certificate) 
> cert).getSubjectX500Principal().toString());
> 
> 
> 
> 
> -Mike
> 

Mime
View raw message