You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@ws.apache.org by "Bennett III, James William" <ja...@indiana.edu> on 2012/09/19 23:24:55 UTC
Issuer name getting truncated
Hello everyone,
I work with an application which uses WSS4j version 1.5.11 and we get an exception fairly regularly which seems to truncate the end of the issuer name when it signs a request. We end up seeing these exceptions thrown on the server when we make a web service call:
java.lang.IllegalArgumentException: improperly specified input name: CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)
at org.apache.ws.security.components.crypto.CryptoBase.createBCX509Name(CryptoBase.java:283)
at org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:335)
at org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:300)
at org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:562)
at org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:541)
at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:377)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:116)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:219)
at org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:93)
at org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:41)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:102)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
at org.kuali.rice.ksb.messaging.servlet.CXFServletControllerAdapter.handleRequest(CXFServletControllerAdapter.java:47)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at org.kuali.rice.ksb.messaging.servlet.KSBDispatcherServlet.service(KSBDispatcherServlet.java:138)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: empty AVA in RDN ""
at sun.security.x509.RDN.<init>(RDN.java:132)
at sun.security.x509.X500Name.parseDN(X500Name.java:918)
at sun.security.x509.X500Name.<init>(X500Name.java:148)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:148)
... 45 more
I checked the keystore and the issuer name is "CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,C=US" so it appears that it is truncating the country off of the end but not removing the last comma which causes the name to be invalid. Has anyone seen anything like this before? If there's any other information I can provide please let me know.
Thanks,
James
Re: Issuer name getting truncated
Posted by Colm O hEigeartaigh <co...@apache.org>.
Does the message contain the truncated Issuer Name? If so the error is on
the outbound side (which I assume is also WSS4J). WSS4J 1.5.x uses the
XMLX509IssuerSerial class in Santuario 1.4.x to constuct the Issuer name,
which calls the now denigrated getIssuerDN:
https://svn.apache.org/repos/asf/santuario/xml-security-java/branches/1.4.x-fixes/src/org/apache/xml/security/keys/content/x509/XMLX509IssuerSerial.java
You could check to see if the following code results in the truncated
String:
RFC2253Parser.normalize(x509certificate.getIssuerDN().getName());
A workaround is simply to use another way of referencing the certificate on
the client side, such as ThumbprintSHA1. I strongly encourage you to
upgrade to the latest WSS4J 1.6.x release, where this bug should be fixed.
Colm.
On Wed, Sep 19, 2012 at 10:24 PM, Bennett III, James William <
jawbenne@indiana.edu> wrote:
> Hello everyone,****
>
> ** **
>
> I work with an application which uses WSS4j version 1.5.11 and we get an
> exception fairly regularly which seems to truncate the end of the issuer
> name when it signs a request. We end up seeing these exceptions thrown on
> the server when we make a web service call:****
>
> ** **
>
> java.lang.IllegalArgumentException: improperly specified input name:
> CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,****
>
> at
> javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)****
>
> at
> javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)****
>
> at
> org.apache.ws.security.components.crypto.CryptoBase.createBCX509Name(CryptoBase.java:283)
> ****
>
> at
> org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:335)
> ****
>
> at
> org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:300)
> ****
>
> at
> org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:562)
> ****
>
> at
> org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:541)
> ****
>
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:377)
> ****
>
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:116)
> ****
>
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
> ****
>
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
> ****
>
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:219)
> ****
>
> at
> org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:93)
> ****
>
> at
> org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:41)
> ****
>
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> ****
>
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> ****
>
> at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:102)
> ****
>
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)
> ****
>
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
> ****
>
> at
> org.kuali.rice.ksb.messaging.servlet.CXFServletControllerAdapter.handleRequest(CXFServletControllerAdapter.java:47)
> ****
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
> ****
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
> ****
>
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
> ****
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
> ****
>
> at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)
> ****
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)***
> *
>
> at
> org.kuali.rice.ksb.messaging.servlet.KSBDispatcherServlet.service(KSBDispatcherServlet.java:138)
> ****
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)***
> *
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> ****
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> ****
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
> ****
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
> ****
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> ****
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
> ****
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
> ****
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)*
> ***
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> ****
>
> at
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
> ****
>
> at
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
> ****
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> ****
>
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
> ****
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
> ****
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
> ****
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> ****
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> ****
>
> at java.lang.Thread.run(Thread.java:662)****
>
> Caused by: java.io.IOException: empty AVA in RDN ""****
>
> at sun.security.x509.RDN.<init>(RDN.java:132)****
>
> at sun.security.x509.X500Name.parseDN(X500Name.java:918)****
>
> at sun.security.x509.X500Name.<init>(X500Name.java:148)****
>
> at
> javax.security.auth.x500.X500Principal.<init>(X500Principal.java:148)****
>
> ... 45 more****
>
> ** **
>
> I checked the keystore and the issuer name is “CN=Foo
> Bar,OU=Baz,O=Org,L=City,ST=IN,C=US” so it appears that it is truncating the
> country off of the end but not removing the last comma which causes the
> name to be invalid. Has anyone seen anything like this before? If there’s
> any other information I can provide please let me know.****
>
> ** **
>
> Thanks,****
>
> James ****
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com