You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Christof Soehngen <Ch...@SYRACOM.DE> on 2004/04/14 08:16:55 UTC

Suggestion for getAliasForX509Cert(issuer, serialNumber)

Hello everyone,
 
I have a suggestion for the following method from org.apache.ws.security.components.crypto.Merlin.java:
 
     getAliasForX509Cert(String issuer, BigInteger serialNumber)
 
The method uses a string based comparison of a given DN to check if any certificate was issued by this CA:
 
     if (equalsStringArray(issuerSplit, certIssuer)) {
 
I experienced certificates with mixed up order of DN parts. For example country first, then region, and so on. By simply comparing a string[], certs signed by this CA are not found if the reorder took place during signing (for example with openssl). I suggest sorting those arrays, so the DN-parts are compared in the correct order:
 
     Arrays.sort(issuerSplit);
     Arrays.sort(certIssuer);
     
Regards,
Christof Soehngen