You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Ricardo Tercero Lozano (JIRA)" <ji...@apache.org> on 2009/10/02 12:09:23 UTC

[jira] Created: (AXIS2-4513) Rampart module fails validating certificate when security provider is Bouncy Castle

Rampart module fails validating certificate when security provider is Bouncy Castle
-----------------------------------------------------------------------------------

                 Key: AXIS2-4513
                 URL: https://issues.apache.org/jira/browse/AXIS2-4513
             Project: Axis 2.0 (Axis2)
          Issue Type: Bug
          Components: modules
    Affects Versions: 1.5
         Environment: Java 1.5, Tomcat 6, Axis2 1.5, rampart 1.4
            Reporter: Ricardo Tercero Lozano



I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer to operate.

        String subjectString = cert.getSubjectDN().getName();
        String issuerString = cert.getIssuerDN().getName();
        BigInteger issuerSerial = cert.getSerialNumber();

when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case).

On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.

       String subjectString = cert.getSubjectX500Principal().getName();
        String issuerString = cert.getIssuerX500Principal().getName();
        BigInteger issuerSerial = cert.getSerialNumber();

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (AXIS2-4513) Rampart module fails validating certificate when security provider is Bouncy Castle

Posted by "Ricardo Tercero Lozano (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/AXIS2-4513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ricardo Tercero Lozano updated AXIS2-4513:
------------------------------------------

    Description: 

I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer to operate.

        String subjectString = cert.getSubjectDN().getName();
        String issuerString = cert.getIssuerDN().getName();
        BigInteger issuerSerial = cert.getSerialNumber();

when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case).

On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.

       String subjectString = cert.getSubjectX500Principal().getName();
        String issuerString = cert.getIssuerX500Principal().getName();
        BigInteger issuerSerial = cert.getSerialNumber();


A rampart configuration to use Bouncy Castle as provider could be:

<ramp:signatureCrypto>
    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
        <ramp:property name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
        <ramp:property name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
    </ramp:crypto>
</ramp:signatureCrypto>



  was:

I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer to operate.

        String subjectString = cert.getSubjectDN().getName();
        String issuerString = cert.getIssuerDN().getName();
        BigInteger issuerSerial = cert.getSerialNumber();

when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case).

On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.

       String subjectString = cert.getSubjectX500Principal().getName();
        String issuerString = cert.getIssuerX500Principal().getName();
        BigInteger issuerSerial = cert.getSerialNumber();


> Rampart module fails validating certificate when security provider is Bouncy Castle
> -----------------------------------------------------------------------------------
>
>                 Key: AXIS2-4513
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4513
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: modules
>    Affects Versions: 1.5
>         Environment: Java 1.5, Tomcat 6, Axis2 1.5, rampart 1.4
>            Reporter: Ricardo Tercero Lozano
>   Original Estimate: 0.08h
>  Remaining Estimate: 0.08h
>
> I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer to operate.
>         String subjectString = cert.getSubjectDN().getName();
>         String issuerString = cert.getIssuerDN().getName();
>         BigInteger issuerSerial = cert.getSerialNumber();
> when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case).
> On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.
>        String subjectString = cert.getSubjectX500Principal().getName();
>         String issuerString = cert.getIssuerX500Principal().getName();
>         BigInteger issuerSerial = cert.getSerialNumber();
> A rampart configuration to use Bouncy Castle as provider could be:
> <ramp:signatureCrypto>
>     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>         <ramp:property name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
>         <ramp:property name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
>         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>     </ramp:crypto>
> </ramp:signatureCrypto>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (AXIS2-4513) Rampart module fails validating certificate when security provider is Bouncy Castle

Posted by "Ricardo Tercero Lozano (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/AXIS2-4513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ricardo Tercero Lozano closed AXIS2-4513.
-----------------------------------------

    Resolution: Invalid

Didn't know there was a project for Rampart. Will publish in appropiate project.

> Rampart module fails validating certificate when security provider is Bouncy Castle
> -----------------------------------------------------------------------------------
>
>                 Key: AXIS2-4513
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4513
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: modules
>    Affects Versions: 1.5
>         Environment: Java 1.5, Tomcat 6, Axis2 1.5, rampart 1.4
>            Reporter: Ricardo Tercero Lozano
>   Original Estimate: 0.08h
>  Remaining Estimate: 0.08h
>
> I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer to operate.
>         String subjectString = cert.getSubjectDN().getName();
>         String issuerString = cert.getIssuerDN().getName();
>         BigInteger issuerSerial = cert.getSerialNumber();
> when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case).
> On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.
>        String subjectString = cert.getSubjectX500Principal().getName();
>         String issuerString = cert.getIssuerX500Principal().getName();
>         BigInteger issuerSerial = cert.getSerialNumber();
> A rampart configuration to use Bouncy Castle as provider could be:
> <ramp:signatureCrypto>
>     <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
>         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
>         <ramp:property name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
>         <ramp:property name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
>         <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
>     </ramp:crypto>
> </ramp:signatureCrypto>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.