You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by bi...@hotmail.com on 2010/07/16 06:44:27 UTC
x509 naming constraints validation
A valid CA certificate in my keystore throws an exception since the wss4j code is not properly parsing a valid certificate
Merlin.java
validateCertPath
does:
public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException {
...
// Add certificates from the keystore
Enumeration aliases = this.keystore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
X509Certificate cert =
(X509Certificate) this.keystore.getCertificate(alias);
TrustAnchor anchor =
new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
set.add(anchor);
}
...
The issue is that cert.getExtensionValue bytes must be parsed prior to sending to TrustAnchor since it is valid to have the name constraints wrapped as an OCTET_STRING
So the code should look like this:
byte[] ba = cert.getExtensionValue(NAME_CONSTRAINTS_OID);
if (ba != null && ba[0] == 0x04) // if ba is wrapped
ba = ((org.bouncycastle.asn1.ANS1OctetString)org.bouncycastle.asn1.ASN1Object.fromByteArray(ba)).getOctets();
TrustAnchor anchor = new TrustAnchor(cert, ba);
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more.
_________________________________________________________________
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1
Re: x509 naming constraints validation
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Can you create a JIRA and submit a patch for this? Preferably with a
test-case :-)
One problem with your suggested solution is that BouncyCastle is a
strictly optional dependency...see how CryptoBase.java handles this.
Colm.
On Fri, Jul 16, 2010 at 5:44 AM, <bi...@hotmail.com> wrote:
> A valid CA certificate in my keystore throws an exception since the wss4j
> code is not properly parsing a valid certificate
>
> Merlin.java
> validateCertPath
>
> does:
> public boolean validateCertPath(X509Certificate[] certs) throws
> WSSecurityException {
> ...
> // Add certificates from the keystore
> Enumeration aliases = this.keystore.aliases();
> while (aliases.hasMoreElements()) {
> String alias = (String) aliases.nextElement();
> X509Certificate cert =
> (X509Certificate) this.keystore.getCertificate(alias);
> TrustAnchor anchor =
> new TrustAnchor(cert,
> cert.getExtensionValue(NAME_CONSTRAINTS_OID));
> set.add(anchor);
> }
> ...
>
> The issue is that cert.getExtensionValue bytes must be parsed prior to
> sending to TrustAnchor since it is valid to have the name constraints
> wrapped as an OCTET_STRING
>
> So the code should look like this:
>
> byte[] ba = cert.getExtensionValue(NAME_CONSTRAINTS_OID);
> if (ba != null && ba[0] == 0x04) // if ba is wrapped
> ba =
> ((org.bouncycastle.asn1.ANS1OctetString)org.bouncycastle.asn1.ASN1Object.fromByteArray(ba)).getOctets();
> TrustAnchor anchor = new TrustAnchor(cert, ba);
> ________________________________
> Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
> Learn more.
> ________________________________
> Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
> Learn more.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org