You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Michal Zerola (JIRA)" <ji...@apache.org> on 2013/05/24 16:08:42 UTC

[jira] [Commented] (QPID-4875) [Java] The parsing logic for certificate subjects doesn't work properly in all cases

    [ https://issues.apache.org/jira/browse/QPID-4875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666337#comment-13666337 ] 

Michal Zerola commented on QPID-4875:
-------------------------------------

Hello,
I have created the patch which integrates the functionality from SSLUtil and ExternalSaslServer into the new static method of SSLUtil:

*public static String getIdFromSubject(String subject)*

At the same time I have implemented DN parsing which fixes the problem with e.g. injected CN inside OU field.
Please take a look at the attached patch.
Thanks,

Michal
                
> [Java] The parsing logic for certificate subjects doesn't work properly in all cases
> ------------------------------------------------------------------------------------
>
>                 Key: QPID-4875
>                 URL: https://issues.apache.org/jira/browse/QPID-4875
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker, Java Client, Java Common
>            Reporter: JAkub Scholz
>            Priority: Minor
>             Fix For: Future
>
>         Attachments: cert_parsing.patch
>
>
> The Java code seems to contain two places where the certificate subjects are being parsed. One is used in the client:
> {{common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java}}
> and the second is used in the broker:
> {{broker/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalSaslServer.java}}
> Both are actually doing the same - extracting the CN and DC components from the subject and creating the username. It should be reconsidered whether we want to reuse the SSLUtil functionality from the common part of the code in the broker code as well.
> However, a bigger problem is that the implementation in both places are not working correctly in all situations. One can very easily create a certificate with a subject / DN like this:
> {{C=FR,O=SUNGARD,OU="CLEARVISION CN=GLKXV_GLKXVALBBDBGEN1"}}
> such certificate actually doesn't contain a CN. But both current implementations will still identify the CN as {{GLKXV_GLKXVALBBDBGEN1"}} in the code. I would expect that this will happen only in very rare cases, but it should still be handled properly.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org