ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <bigg...@hotmail.com>
Subject x509 naming constraints validation
Date Fri, 16 Jul 2010 04:44:27 GMT

 A valid CA certificate in my keystore throws an exception since the wss4j code is not properly
parsing a valid certificate
 
Merlin.java 
  validateCertPath
 
does: 
    public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException {
  ...
            // Add certificates from the keystore
            Enumeration aliases = this.keystore.aliases();
            while (aliases.hasMoreElements()) {
                String alias = (String) aliases.nextElement();
                X509Certificate cert = 
                    (X509Certificate) this.keystore.getCertificate(alias);
                TrustAnchor anchor = 
                    new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
                set.add(anchor);
            }
  ...

The issue is that cert.getExtensionValue bytes must be parsed prior to sending to TrustAnchor
since it is valid to have the name constraints wrapped as an OCTET_STRING
 
So the code should look like this:
 
byte[] ba = cert.getExtensionValue(NAME_CONSTRAINTS_OID);
if (ba != null && ba[0] == 0x04) // if ba is wrapped
  ba = ((org.bouncycastle.asn1.ANS1OctetString)org.bouncycastle.asn1.ASN1Object.fromByteArray(ba)).getOctets();
TrustAnchor anchor = new TrustAnchor(cert, ba); 		 	   		  
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more. 
	 	   		  
_________________________________________________________________
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1
Mime
View raw message