You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2010/05/26 13:31:33 UTC

svn commit: r948399 - in /webservices/wss4j/trunk: src/org/apache/ws/security/components/crypto/CryptoBase.java src/org/apache/ws/security/message/EnvelopeIdResolver.java test/wssec/TestWSSecurityWSS86.java

Author: coheigea
Date: Wed May 26 11:31:32 2010
New Revision: 948399

URL: http://svn.apache.org/viewvc?rev=948399&view=rev
Log:
[WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
 - Ported BouncyCastle fix from getAliasForX509Cert to getAliasesForDN 

Removed:
    webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
Modified:
    webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
    webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=948399&r1=948398&r2=948399&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java Wed May 26 11:31:32 2010
@@ -731,16 +731,29 @@ public abstract class CryptoBase impleme
      */
     public String[] getAliasesForDN(String subjectDN) throws WSSecurityException {
 
-        // The DN to search the keystore for
-        X500Principal subjectRDN = new X500Principal(subjectDN);
+        //
+        // Convert the subject DN to a java X500Principal object first. This is to ensure
+        // interop with a DN constructed from .NET, where e.g. it uses "S" instead of "ST".
+        // Then convert it to a BouncyCastle X509Name, which will order the attributes of
+        // the DN in a particular way (see WSS-168). If the conversion to an X500Principal
+        // object fails (e.g. if the DN contains "E" instead of "EMAILADDRESS"), then fall
+        // back on a direct conversion to a BC X509Name
+        //
+        Object subject;
+        try {
+            X500Principal subjectRDN = new X500Principal(subjectDN);
+            subject = createBCX509Name(subjectRDN.getName());
+        } catch (java.lang.IllegalArgumentException ex) {
+            subject = createBCX509Name(subjectDN);
+        }
         List aliases = null;
         if (keystore != null) {
-            aliases = getAliases(subjectRDN, keystore);
+            aliases = getAliases(subject, keystore);
         }
-        
+
         //If we can't find the issuer in the keystore then look at the truststore
         if ((aliases == null || aliases.size() == 0) && truststore != null) {
-            aliases = getAliases(subjectRDN, truststore);
+            aliases = getAliases(subject, truststore);
         }
         
         // Convert the vector into an array
@@ -915,12 +928,12 @@ public abstract class CryptoBase impleme
     
     /**
      * Get all of the aliases of the X500Principal argument in the supplied KeyStore
-     * @param subjectRDN The X500Principal
+     * @param subjectRDN either an X500Principal or a BouncyCastle X509Name instance.
      * @param store The KeyStore
      * @return A list of aliases
      * @throws WSSecurityException
      */
-    private static List getAliases(X500Principal subjectRDN, KeyStore store) 
+    private List getAliases(Object subjectRDN, KeyStore store) 
         throws WSSecurityException {
         // Store the aliases found
         List aliases = new Vector();
@@ -943,8 +956,9 @@ public abstract class CryptoBase impleme
                 }
                 if (cert instanceof X509Certificate) {
                     X500Principal foundRDN = ((X509Certificate) cert).getSubjectX500Principal();
+                    Object certName = createBCX509Name(foundRDN.getName());
 
-                    if (subjectRDN.equals(foundRDN)) {
+                    if (subjectRDN.equals(certName)) {
                         aliases.add(alias);
                     }
                 }

Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java?rev=948399&r1=948398&r2=948399&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java Wed May 26 11:31:32 2010
@@ -95,6 +95,19 @@ public class TestWSSecurityWSS86 extends
 
     
     /**
+     * A unit test...
+     */
+    public void testGetAliasWithReversedDN() throws Exception {
+        String issuer = "C=DE,ST=Bayern,L=Munich,O=Apache,OU=WSS4J,CN=Werner,E=Werner@example.com";
+        
+        String alias = crypto.getAliasForX509Cert(issuer, new java.math.BigInteger("1237819491"));
+        assertNotNull("Alias not found using a reversed DN", alias);
+        
+        String[] aliases = crypto.getAliasesForDN(issuer);
+        assertNotNull("Alias not found using a reversed DN", aliases[0]);
+    }
+    
+    /**
      * Test signing a SOAP message using a cert with an OID
      */
     public void testSignatureOID() throws Exception {



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org