You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Samisa Abeysinghe (JIRA)" <ji...@apache.org> on 2010/12/21 11:51:00 UTC
[jira] Resolved: (RAMPART-266) Rampart module fails validating
signing certificate when security provider is Bouncy Castle
[ https://issues.apache.org/jira/browse/RAMPART-266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Samisa Abeysinghe resolved RAMPART-266.
---------------------------------------
Resolution: Fixed
Fix Version/s: NextVersion
As per Thilina's last comment, please follow the instructions provided.
> Rampart module fails validating signing certificate when security provider is Bouncy Castle
> -------------------------------------------------------------------------------------------
>
> Key: RAMPART-266
> URL: https://issues.apache.org/jira/browse/RAMPART-266
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.4
> Reporter: Ricardo Tercero Lozano
> Assignee: Ruchith Udayanga Fernando
> Fix For: NextVersion
>
>
> I found an error in class 'PolicyBasedResultsValidator', method 'verifyTrust'. This method gets de subject and issuer from the certificate to validate it.
> String subjectString = cert.getSubjectDN().getName();
> String issuerString = cert.getIssuerDN().getName();
> BigInteger issuerSerial = cert.getSerialNumber();
> when using Bouncy Castle as security provider 'getSubjectDN' and 'getIssuerDN' returns a DN String representation that can be different from the one on the certificate (which is my case indeed).
> On bouncy castle devel list, they recommend using 'getSubjectX500Principal' and 'getIssuerX500Principal' instead of 'DN' methods. These methods returns the values on the certificate, so matching could be right.
> String subjectString = cert.getSubjectX500Principal().getName();
> String issuerString = cert.getIssuerX500Principal().getName();
> BigInteger issuerSerial = cert.getSerialNumber();
> A rampart configuration to use Bouncy Castle as provider could be:
> <ramp:signatureCrypto>
> <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.file">server.jks</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.cert.provider">BC</ramp:property>
> <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">changeit</ramp:property>
> </ramp:crypto>
> </ramp:signatureCrypto>
> This issue is probable related to RAMPART-226, as it is using IBM security provider.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org