-
Bug
-
Resolution: Fixed
-
P4
-
1.4.0
-
beta2
-
x86
-
windows_nt
Name: boT120536 Date: 07/30/2001
java version "1.4.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-beta-b65)
Java HotSpot(TM) Client VM (build 1.4.0-beta-b65, mixed mode)
I'm trying to use the java.security.cert.X509CertSelector to select a
certificate. It fails to select by Subject or Issuer, but succeeds by serial
number, validity date, and null criteria.
I have code to reproduce this (appended below). In summary, I load a cert from
a file using the CertificateFactory. I pull the subject name from the cert and
initialize the X509CertSelector with it. Then I call
X509CertSelector.match(<the cert I read in and pulled the subject name from>).
It does not match.
I dumped out the certificate and the selector's subject. Here's the subject
from each:
Certificate subject:
SURNAME=rollman, EmailAddress=###@###.###, CN=PatTest, OU=BEA Sys
tems Enterprise Engineering, O="BEA Systems, Inc.", L=Nashua, ST=New Hampshire,
C=US
Selector Subject:
2.5.4.4=#1307726f6c6c6d616e,1.2.840.113549.1.9.1=#130f70617474
657374406265612e636f6d,CN=PatTest,OU=BEA Systems Enterprise Engineering,O=BEA Sy
stems, Inc.,L=Nashua,ST=New Hampshire,C=US
BTW, the 2.5.4.4 value maps to "rollman" and the 1.2.840.113549.1.9.1 value maps
to "###@###.###".
Since this doesn't work for Issuer either, I think there's a problem in the
underlying DN handling code.
Here's the reproducer. You need:
1) CLASSPATH=e:\certstoretests\classes;d:\jdk1.4\lib\tools.jar
where the following test lives in e:\certstoretests\selector and the
directory e:\certstoretests\classes exists
2) this makefile (or use your own):
CLASSFLAGS = -d e:\certstoretests\classes
JAVAFLAGS = "-verbose"
all:
javac $(JAVAFLAGS) $(CLASSFLAGS) SelectorTest.java
3) this is using JDK1.4 out of the box, including the CertPath providers
4) reproducer code:
/*
* X509CertSelector unit test.
* - usage: java certstoretests.selector.SelectorTest <certificate file name>
* - output:
* - message showing certificate factory provider
* - listing of all providers registered
* - the certificate (ie, cert.toString())
* - the X509CertSelector subjectDN (ie, selector.getSubjectAsString())
* - the results of the match attempt.
*
* NOTE: the part you care about is about lines 120-140
*/
package certstoretests.selector;
import java.security.Security;
import java.security.Principal;
import java.security.Provider;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CertSelector;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.lang.String;
import java.io.FileInputStream;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.util.Date;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
class SelectorTest
{
// test data
int sourceIndex = 0;
private X509Certificate xcert = null;
// the certificate factory
private CertificateFactory cf = null;
public static void main (String[] args)
{
SelectorTest test = new SelectorTest(args);
test.initProviders();
test.getArgs(args);
test.selectCriteria();
}
public SelectorTest(String args[])
{
boolean doUsage = parseArguments(args);
if (doUsage)
{
outputUsage();
return;
}
}
public void getArgs(String[] args)
{
/*
* Read thethe EndEntity cert from the files listed
* in the arguments.
*/
readEndEntity(args[sourceIndex]);
return;
}
public void initProviders()
{
try {
System.out.println("INFO: getting CertificateFactory");
cf = CertificateFactory.getInstance("X.509");
if (cf == null)
{
System.out.println("***ERROR: certificateFactory is null");
System.out.println();
return;
}
System.out.println("\ttype: " + cf.getType());
System.out.println("\tprovider info: " + cf.getProvider().getInfo());
}
catch (Exception e)
{
System.out.println("***ERROR: exception getting CertificateFactory");
System.out.println();
return;
}
/**
* list all the providers the Security object has
*/
System.out.println("");
System.out.println("All registered providers:");
System.out.println("");
Provider[] providers = Security.getProviders();
for (int i = 0; i < providers.length; i++)
{
System.out.println("\t["+i+"]: "+providers[i].getName());
System.out.println("\t\t"+providers[i].getInfo());
}
}
public void selectCriteria()
{
// get a cert selector for null criteria;
X509CertSelector selector = null;
System.out.println("");
System.out.println("INFO: creating X509CertSelector instance");
try {
selector = new X509CertSelector();
selector.setSubject(xcert.getSubjectDN().getName());
selector.setMatchAllSubjectAltNames(false);
System.out.println("selector subject: "+selector.getSubjectAsString());
}
catch (Exception e)
{
System.out.println("\t***ERROR: exception initializing Cert selector");
return;
}
System.out.println("");
System.out.println("INFO: matching certificate against subject");
if (selector.match(xcert))
System.out.println("\tcertificate MATCHED");
else System.out.println("\tcertificate DID NOT MATCH");
}
private void readEndEntity(String filename)
{
System.out.println("");
System.out.println("INFO: Getting end-entity cert from: "+filename);
try {
FileInputStream certs_fis = new FileInputStream(filename);
DataInputStream certs_dis = new DataInputStream(certs_fis);
byte[] certs_bytes = new byte[certs_dis.available()];
certs_dis.readFully(certs_bytes);
ByteArrayInputStream certs_bais = new ByteArrayInputStream(certs_bytes);
Certificate cert = cf.generateCertificate(certs_bais);
try {
if (cert instanceof X509Certificate)
{
xcert = (X509Certificate)cert;
System.out.println("INFO: certificate: "+xcert.toString());
}
else {
System.out.println("\t***ERROR: end-entity isn't an X509Certificate");
return;
}
}
catch (Exception e)
{
System.out.println("\t***ERROR: exception displaying entity certificate");
System.out.println();
}
}
catch (Exception e)
{
System.out.println("\t***ERROR: exception loading certs");
System.out.println();
return;
}
}
private boolean parseArguments(String args[])
{
/*
* must have endentity
*/
if (args.length < 1)
return true;
/*
* arg must be filename
*/
int i = 0;
if (args.length == 1)
{
for (i = 0; i < args.length; i++)
{
if (args[i].startsWith("/") || args[i].startsWith("-"))
return true;
}
}
/*
* must have more than 1 argument, so there have to be
* switches.
*/
int fileCount = 0;
sourceIndex = 0;
for (i = 0; i < args.length; i++)
{
if (args[i].startsWith("/") || args[i].startsWith("-"))
{
/*
* we have a switch, so ignore and move on
*/
sourceIndex++;
}
else {
fileCount++;
}
}
if (fileCount < 1)
return true;
return false;
}
private void outputUsage()
{
System.out.println("usage: certstoretests.selector.SelectorTest <entity>");
System.out.println("where:");
System.out.println("\tentity - is the directory+filename of the target certificate");
return;
}
}
(Review ID: 127577)
======================================================================