You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Mike <to...@umiacs.umd.edu> on 2005/07/26 17:12:53 UTC

possible bug in Merlin

Hi,
  I'm having some problems trying to validate signatures by using the 
issuer certificate. The issue appears to be with how certificates are 
resolved based on their DN. The following errors show up after turning 
debugging on:

[26/Jul/2005:10:41:30] No alias found for subject from issuer with 
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS,
L=College Park, ST=Maryland, C=US (serial 1048578)
[26/Jul/2005:10:41:30] No aliases found in keystore for issuer 
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS, L=Co
llege Park, ST=Maryland, C=US of certificate for 
EMAILADDRESS=toaster@umiacs.umd.edu, CN=Pawn Client, OU=PAWN Client, 
O=UMIACS, ST=Maryland, C=US



When a cert comes in over the wire in WSDoAllReceiver.verifyTrust calls 
cert.getIssuerDN().getName() which returns a DN in the form of:

  EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS, L=College Park, ST=Maryland, C=US

however when it tries to retrieve the corresponding certificate in 
Merlin.getAliasesForDN by looping it calls getSubjectDN().getName() 
while building a vector to compare. This however will return

  C=US,ST=Maryland,L=College Park,O=UMIACS,OU=ADAPT CA,CN=Adapt Project 
CA,E=toaster@umiacs.umd.edu

Calling getSubjectX500Principal().toString produces a compatable DN, and 
allows verification to work.

EMAILADDRESS=toaster@umiacs.umd.edu, CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS, L=College Park, ST=Maryland, C=US

It looks like the problem is with how different providers handle the 
EMAILADDRESS string. In the javadoc for X509Certificate it's recommended 
to use getSubjectX500Principal and getIssuerX500Principal rather than 
the provider specifiv getSubjectDN and getIssuerDN.

Index: src/org/apache/ws/security/components/crypto/Merlin.java
===================================================================
RCS file: 
/home/cvspublic/ws-wss4j/src/org/apache/ws/security/components/crypto/Merlin.java,v
retrieving revision 1.24
diff -r1.24 Merlin.java
665c665,666
<                     Vector foundRDN = splitAndTrim(((X509Certificate) 
cert).getSubjectDN().getName());
---
 >                     //Vector foundRDN = 
splitAndTrim(((X509Certificate) cert).getSubjectDN().getName());
 >                     Vector foundRDN = splitAndTrim(((X509Certificate) 
cert).getSubjectX500Principal().toString());




-Mike