You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Mike <to...@umiacs.umd.edu> on 2005/07/26 17:12:53 UTC
possible bug in Merlin
Hi,
I'm having some problems trying to validate signatures by using the
issuer certificate. The issue appears to be with how certificates are
resolved based on their DN. The following errors show up after turning
debugging on:
[26/Jul/2005:10:41:30] No alias found for subject from issuer with
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA,
O=UMIACS,
L=College Park, ST=Maryland, C=US (serial 1048578)
[26/Jul/2005:10:41:30] No aliases found in keystore for issuer
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA,
O=UMIACS, L=Co
llege Park, ST=Maryland, C=US of certificate for
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Pawn Client, OU=PAWN Client,
O=UMIACS, ST=Maryland, C=US
When a cert comes in over the wire in WSDoAllReceiver.verifyTrust calls
cert.getIssuerDN().getName() which returns a DN in the form of:
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA,
O=UMIACS, L=College Park, ST=Maryland, C=US
however when it tries to retrieve the corresponding certificate in
Merlin.getAliasesForDN by looping it calls getSubjectDN().getName()
while building a vector to compare. This however will return
C=US,ST=Maryland,L=College Park,O=UMIACS,OU=ADAPT CA,CN=Adapt Project
CA,E=toaster@umiacs.umd.edu
Calling getSubjectX500Principal().toString produces a compatable DN, and
allows verification to work.
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA,
O=UMIACS, L=College Park, ST=Maryland, C=US
It looks like the problem is with how different providers handle the
EMAILADDRESS string. In the javadoc for X509Certificate it's recommended
to use getSubjectX500Principal and getIssuerX500Principal rather than
the provider specifiv getSubjectDN and getIssuerDN.
Index: src/org/apache/ws/security/components/crypto/Merlin.java
===================================================================
RCS file:
/home/cvspublic/ws-wss4j/src/org/apache/ws/security/components/crypto/Merlin.java,v
retrieving revision 1.24
diff -r1.24 Merlin.java
665c665,666
< Vector foundRDN = splitAndTrim(((X509Certificate)
cert).getSubjectDN().getName());
---
> //Vector foundRDN =
splitAndTrim(((X509Certificate) cert).getSubjectDN().getName());
> Vector foundRDN = splitAndTrim(((X509Certificate)
cert).getSubjectX500Principal().toString());
-Mike