You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Dittmann Werner <we...@siemens.com> on 2004/06/01 18:34:41 UTC

AW: [jira] Created: (WSFX-10) Merlin.splitAndTrim() needs orderin g to cope with different providers

All,

need to cross check because according to X.509
the DN must be compared as it is stored in the certificate.

The creator of the certificate defines the order of the DN
components in the certificate. Thus if you create a cert with
e.g. openSSL then the DN is fixed after creation.

And obviously 2 certificates are identical only if both
are created with the same provider.

If the DN would be modified after certificate creation 
and signing of a certificate Authority it would become 
inavlid because the issuer's
signatur is invalid afterwards.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: jira@apache.org [mailto:jira@apache.org] 
> Gesendet: Dienstag, 1. Juni 2004 17:22
> An: fx-dev@ws.apache.org
> Betreff: [jira] Created: (WSFX-10) Merlin.splitAndTrim() 
> needs ordering to cope with different providers
> 
> 
> Message:
> 
>   A new issue has been created in JIRA.
> 
> ---------------------------------------------------------------------
> View the issue:
>   http://issues.apache.org/jira/browse/WSFX-10
> 
> Here is an overview of the issue:
> ---------------------------------------------------------------------
>         Key: WSFX-10
>     Summary: Merlin.splitAndTrim() needs ordering to cope 
> with different providers
>        Type: Bug
> 
>      Status: Unassigned
>    Priority: Major
> 
>     Project: WSFX
>  Components: 
>              WSS4J
> 
>    Assignee: 
>    Reporter: Christof Soehngen
> 
>     Created: Tue, 1 Jun 2004 8:21 AM
>     Updated: Tue, 1 Jun 2004 8:21 AM
> Environment: CVS Snapshot from 2004-06-01
> 
> Description:
> When different providers are used to load and compare certs 
> (for example, SUN for keystore and BC for 
> certificateFactory), the ordering of the DN-parts (CN, ..., 
> C) may differ.
> 
> As a result, two semantically identical DNs may have 
> different results from splitAndTrim(). This leads to failure 
> to find an alias for a certificate given an issuer and the 
> serial, for example. Certificate path validation is a problem, too.
> 
> I suggest a simple sort to put the parts into a canonical order:
> 
> --- Merlin.java	2004-06-01 12:39:46.000000000 +0200
> +++ Merlin.java	2004-06-01 17:12:42.000000000 +0200
> @@ -264,6 +264,9 @@
>  		while (nmTokens.hasMoreTokens()) {
>  			vr.add(nmTokens.nextToken());
>  		}
> +		
> +		java.util.Collections.sort(vr);
> +		
>  		return vr;
>  	}
>  
> 
> 
> ---------------------------------------------------------------------
> JIRA INFORMATION:
> This message is automatically generated by JIRA.
> 
> If you think it was sent incorrectly contact one of the 
> administrators:
>    http://issues.apache.org/jira/secure/Administrators.jspa
> 
> If you want more information on JIRA, or have a bug to report see:
>    http://www.atlassian.com/software/jira
>