ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: x509 naming constraints validation
Date Wed, 21 Jul 2010 16:45:45 GMT
Hi,

Can you create a JIRA and submit a patch for this? Preferably with a
test-case :-)
One problem with your suggested solution is that BouncyCastle is a
strictly optional dependency...see how CryptoBase.java handles this.

Colm.

On Fri, Jul 16, 2010 at 5:44 AM,  <biggenx@hotmail.com> wrote:
>  A valid CA certificate in my keystore throws an exception since the wss4j
> code is not properly parsing a valid certificate
>
> Merlin.java
>   validateCertPath
>
> does:
>     public boolean validateCertPath(X509Certificate[] certs) throws
> WSSecurityException {
>   ...
>             // Add certificates from the keystore
>             Enumeration aliases = this.keystore.aliases();
>             while (aliases.hasMoreElements()) {
>                 String alias = (String) aliases.nextElement();
>                 X509Certificate cert =
>                     (X509Certificate) this.keystore.getCertificate(alias);
>                 TrustAnchor anchor =
>                     new TrustAnchor(cert,
> cert.getExtensionValue(NAME_CONSTRAINTS_OID));
>                 set.add(anchor);
>             }
>   ...
>
> The issue is that cert.getExtensionValue bytes must be parsed prior to
> sending to TrustAnchor since it is valid to have the name constraints
> wrapped as an OCTET_STRING
>
> So the code should look like this:
>
> byte[] ba = cert.getExtensionValue(NAME_CONSTRAINTS_OID);
> if (ba != null && ba[0] == 0x04) // if ba is wrapped
>   ba =
> ((org.bouncycastle.asn1.ANS1OctetString)org.bouncycastle.asn1.ASN1Object.fromByteArray(ba)).getOctets();
> TrustAnchor anchor = new TrustAnchor(cert, ba);
> ________________________________
> Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
> Learn more.
> ________________________________
> Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
> Learn more.

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message