-
Bug
-
Resolution: Fixed
-
P3
-
6
-
beta
-
x86
-
linux_redhat_3.0
-
Verified
Attached certificate is generated by MS CA on windows 2003 server.
This is a interoperability issue. Keytool shows there are only four extensions in the certificate but both MS certificate tool & dumpasn1 show there are six extensions.
--------------------
keytool output:
--------------------
-bash-2.05b$ keytool -printcert -v -file DSA1024.crt
Owner: EMAILADDRESS=###@###.###, CN=xml dsig cert2, OU=j2se, O=sun, L=santa clara, ST=ca, C=US
Issuer: CN=MS CA, DC=jdksec, DC=sfbay, DC=sun, DC=com
Serial number: 1abc9a81000100000046
Valid from: Tue Jun 28 14:59:46 PDT 2005 until: Wed Jun 28 15:09:46 PDT 2006
Certificate fingerprints:
MD5: 43:71:40:C1:8D:B7:0D:83:B8:F2:98:77:90:58:24:41
SHA1: 4E:80:1A:4F:D6:23:61:1D:D8:B8:6E:88:61:3B:66:3D:9A:DC:0D:38
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 C2 F3 FA 17 56 6A 26 06 3B 69 FD FC E1 34 60 .....Vj&.;i...4`
0010: F8 D1 39 72 ..9r
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FF B4 C9 92 9E EC 89 A7 45 C6 AA AE 26 97 20 D1 ........E...&. .
0010: 3D 10 DE FC =...
]
]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
emailProtection
]
---------------------
dumpasn1 output:
---------------------
0 1523: SEQUENCE {
4 1243: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 10: INTEGER 1A BC 9A 81 00 01 00 00 00 46
25 13: SEQUENCE {
27 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
38 0: NULL
: }
40 105: SEQUENCE {
42 19: SET {
44 17: SEQUENCE {
46 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
58 3: IA5String 'com'
: }
: }
63 19: SET {
65 17: SEQUENCE {
67 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
79 3: IA5String 'sun'
: }
: }
84 21: SET {
86 19: SEQUENCE {
88 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
100 5: IA5String 'sfbay'
: }
: }
107 22: SET {
109 20: SEQUENCE {
111 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
123 6: IA5String 'jdksec'
: }
: }
131 14: SET {
133 12: SEQUENCE {
135 3: OBJECT IDENTIFIER commonName (2 5 4 3)
140 5: PrintableString 'MS CA'
: }
: }
: }
147 30: SEQUENCE {
149 13: UTCTime 28/06/2005 21:59:46 GMT
164 13: UTCTime 28/06/2006 22:09:46 GMT
: }
179 136: SEQUENCE {
182 11: SET {
184 9: SEQUENCE {
186 3: OBJECT IDENTIFIER countryName (2 5 4 6)
191 2: PrintableString 'US'
: }
: }
195 11: SET {
197 9: SEQUENCE {
199 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
204 2: PrintableString 'ca'
: }
: }
208 20: SET {
210 18: SEQUENCE {
212 3: OBJECT IDENTIFIER localityName (2 5 4 7)
217 11: PrintableString 'santa clara'
: }
: }
230 12: SET {
232 10: SEQUENCE {
234 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
239 3: PrintableString 'sun'
: }
: }
244 13: SET {
246 11: SEQUENCE {
248 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
253 4: PrintableString 'j2se'
: }
: }
259 23: SET {
261 21: SEQUENCE {
263 3: OBJECT IDENTIFIER commonName (2 5 4 3)
268 14: PrintableString 'xml dsig cert2'
: }
: }
284 32: SET {
286 30: SEQUENCE {
288 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
299 17: IA5String '###@###.###'
: }
: }
: }
318 438: SEQUENCE {
322 299: SEQUENCE {
326 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
335 286: SEQUENCE {
339 129: INTEGER
: 00 F0 AA 19 08 95 4A 31 4D CB E3 B8 29 6E 59 72
: 8A 22 D8 82 07 53 87 32 C5 C1 CC E2 BF C8 79 F5
: 8D 59 EE 6C C8 1A DD 1B D4 36 2C 61 63 4D 08 5F
: 0C 58 62 63 6C 4A 99 62 70 75 F9 85 1A 6B 51 41
: 05 C3 D1 C0 B0 24 17 C4 AF 84 C5 7B 25 87 4D 31
: EF 43 E5 E3 3B 51 B3 38 73 B2 7C 08 A9 2C 31 DC
: 4F 2C 57 2C 44 C9 D4 09 B4 69 83 4A 36 BF 08 0E
: E7 00 D6 04 37 6F 40 05 C8 04 68 FD 60 15 FB 99
: [ Another 1 bytes skipped ]
471 21: INTEGER
: 00 82 12 2A D6 3B 97 C1 7F CB 54 37 8C 44 8A 62
: 5C 18 C3 90 A3
494 128: INTEGER
: 26 60 22 D2 E9 17 41 78 78 FC E2 95 63 0C 60 0F
: D8 47 F3 87 41 AC D2 01 2F 1C 26 F3 6D F8 F3 3C
: A3 96 8E 87 B8 31 98 B8 EA FD CF 2F B1 7F F4 F8
: AF 00 C3 60 9B CF 28 D0 85 57 59 26 1F EC EF 75
: CA 67 14 2D DC FE 37 2F 52 DE 18 3D 02 BE 17 46
: EE 5C 82 50 50 06 FC E9 02 C7 C0 FE 83 D2 B9 3B
: 39 DE E9 7A 3E BC 81 91 74 42 18 C7 DA FF 20 13
: B6 28 4B 0C 98 3C 00 76 EB 66 E4 34 DA AD 34 DB
: }
: }
625 132: BIT STRING, encapsulates {
629 128: INTEGER
: 2E A8 B5 AE A2 A4 95 C8 87 67 5E 8E A6 44 5C 5F
: 7E 4C F3 34 FA 33 10 2B 0C B9 C5 E6 43 ED A0 D7
: A9 B4 D1 C4 A9 69 1F 53 84 2D 33 75 1E 4F 29 49
: 96 C8 D5 62 8B F6 F0 52 42 67 0D A5 A9 4A AD 8D
: 78 7F 48 AA 52 F5 72 10 6B E3 EC AE BC 4D 5F 11
: 42 63 E5 B7 4D AF BF E1 93 F8 50 EB 89 D4 F5 D1
: 89 28 1F 44 D1 E2 8F 54 22 8E F6 D4 35 DA F5 09
: E6 2C BA 06 9C 85 48 B2 17 CB 67 B5 01 0E 80 E5
: }
: }
760 487: [3] {
764 483: SEQUENCE {
768 14: SEQUENCE {
770 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
775 1: BOOLEAN TRUE
778 4: OCTET STRING, encapsulates {
780 2: BIT STRING 6 unused bits
: '11'B
: }
: }
784 29: SEQUENCE {
786 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
791 22: OCTET STRING, encapsulates {
793 20: OCTET STRING
: 95 C2 F3 FA 17 56 6A 26 06 3B 69 FD FC E1 34 60
: F8 D1 39 72
: }
: }
815 19: SEQUENCE {
817 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
822 12: OCTET STRING, encapsulates {
824 10: SEQUENCE {
826 8: OBJECT IDENTIFIER emailProtection (1 3 6 1 5 5 7 3 4)
: }
: }
: }
836 31: SEQUENCE {
838 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
843 24: OCTET STRING, encapsulates {
845 22: SEQUENCE {
847 20: [0]
: FF B4 C9 92 9E EC 89 A7 45 C6 AA AE 26 97 20 D1
: 3D 10 DE FC
: }
: }
: }
869 148: SEQUENCE {
872 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
877 140: OCTET STRING, encapsulates {
880 137: SEQUENCE {
883 134: SEQUENCE {
886 131: [0] {
889 128: [0] {
892 62: [6]
: 'http://ionpulse.jdksec.sfbay.sun.com/CertEnroll/'
: 'MS%20CA(1).crl'
956 62: [6]
: 'file://\\IONPULSE.jdksec.sfbay.sun.com\CertEnrol'
: 'l\MS CA(1).crl'
: }
: }
: }
: }
: }
: }
1020 228: SEQUENCE {
1023 8: OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1)
1033 215: OCTET STRING, encapsulates {
1036 212: SEQUENCE {
1039 104: SEQUENCE {
1041 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
1051 92: [6]
: 'http://ionpulse.jdksec.sfbay.sun.com/CertEnroll/'
: 'IONPULSE.jdksec.sfbay.sun.com_MS%20CA(1).crt'
: }
1145 104: SEQUENCE {
1147 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
1157 92: [6]
: 'file://\\IONPULSE.jdksec.sfbay.sun.com\CertEnrol'
: 'l\IONPULSE.jdksec.sfbay.sun.com_MS CA(1).crt'
: }
: }
: }
: }
: }
: }
: }
1251 13: SEQUENCE {
1253 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
1264 0: NULL
: }
1266 257: BIT STRING
: 4D C1 86 11 C1 E8 69 F6 21 D2 72 AD 97 E7 31 53
: 37 16 1B 8D 88 6F A6 EA 0E 56 D9 41 33 7E 19 76
: D5 6B FD 54 CB 86 CE F0 6E 0F 50 5B B2 05 89 13
: AB 83 82 E7 9B 95 71 92 6E D9 C5 0D B1 2E C3 6D
: A3 E3 38 36 69 15 78 5C 92 E8 55 5D 02 CB D6 7C
: 3C 35 4D 62 8E 38 D1 C6 05 55 49 20 46 8A 35 35
: FC 07 7C 55 D9 CD 70 FF E9 3A 2C 22 19 C7 96 BF
: 9D 04 B0 19 26 91 BE 81 25 DC F9 65 63 D6 F9 39
: [ Another 128 bytes skipped ]
: }
0 warnings, 0 errors.
This is a interoperability issue. Keytool shows there are only four extensions in the certificate but both MS certificate tool & dumpasn1 show there are six extensions.
--------------------
keytool output:
--------------------
-bash-2.05b$ keytool -printcert -v -file DSA1024.crt
Owner: EMAILADDRESS=###@###.###, CN=xml dsig cert2, OU=j2se, O=sun, L=santa clara, ST=ca, C=US
Issuer: CN=MS CA, DC=jdksec, DC=sfbay, DC=sun, DC=com
Serial number: 1abc9a81000100000046
Valid from: Tue Jun 28 14:59:46 PDT 2005 until: Wed Jun 28 15:09:46 PDT 2006
Certificate fingerprints:
MD5: 43:71:40:C1:8D:B7:0D:83:B8:F2:98:77:90:58:24:41
SHA1: 4E:80:1A:4F:D6:23:61:1D:D8:B8:6E:88:61:3B:66:3D:9A:DC:0D:38
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 C2 F3 FA 17 56 6A 26 06 3B 69 FD FC E1 34 60 .....Vj&.;i...4`
0010: F8 D1 39 72 ..9r
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FF B4 C9 92 9E EC 89 A7 45 C6 AA AE 26 97 20 D1 ........E...&. .
0010: 3D 10 DE FC =...
]
]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
emailProtection
]
---------------------
dumpasn1 output:
---------------------
0 1523: SEQUENCE {
4 1243: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 10: INTEGER 1A BC 9A 81 00 01 00 00 00 46
25 13: SEQUENCE {
27 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
38 0: NULL
: }
40 105: SEQUENCE {
42 19: SET {
44 17: SEQUENCE {
46 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
58 3: IA5String 'com'
: }
: }
63 19: SET {
65 17: SEQUENCE {
67 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
79 3: IA5String 'sun'
: }
: }
84 21: SET {
86 19: SEQUENCE {
88 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
100 5: IA5String 'sfbay'
: }
: }
107 22: SET {
109 20: SEQUENCE {
111 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
123 6: IA5String 'jdksec'
: }
: }
131 14: SET {
133 12: SEQUENCE {
135 3: OBJECT IDENTIFIER commonName (2 5 4 3)
140 5: PrintableString 'MS CA'
: }
: }
: }
147 30: SEQUENCE {
149 13: UTCTime 28/06/2005 21:59:46 GMT
164 13: UTCTime 28/06/2006 22:09:46 GMT
: }
179 136: SEQUENCE {
182 11: SET {
184 9: SEQUENCE {
186 3: OBJECT IDENTIFIER countryName (2 5 4 6)
191 2: PrintableString 'US'
: }
: }
195 11: SET {
197 9: SEQUENCE {
199 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
204 2: PrintableString 'ca'
: }
: }
208 20: SET {
210 18: SEQUENCE {
212 3: OBJECT IDENTIFIER localityName (2 5 4 7)
217 11: PrintableString 'santa clara'
: }
: }
230 12: SET {
232 10: SEQUENCE {
234 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
239 3: PrintableString 'sun'
: }
: }
244 13: SET {
246 11: SEQUENCE {
248 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
253 4: PrintableString 'j2se'
: }
: }
259 23: SET {
261 21: SEQUENCE {
263 3: OBJECT IDENTIFIER commonName (2 5 4 3)
268 14: PrintableString 'xml dsig cert2'
: }
: }
284 32: SET {
286 30: SEQUENCE {
288 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
299 17: IA5String '###@###.###'
: }
: }
: }
318 438: SEQUENCE {
322 299: SEQUENCE {
326 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
335 286: SEQUENCE {
339 129: INTEGER
: 00 F0 AA 19 08 95 4A 31 4D CB E3 B8 29 6E 59 72
: 8A 22 D8 82 07 53 87 32 C5 C1 CC E2 BF C8 79 F5
: 8D 59 EE 6C C8 1A DD 1B D4 36 2C 61 63 4D 08 5F
: 0C 58 62 63 6C 4A 99 62 70 75 F9 85 1A 6B 51 41
: 05 C3 D1 C0 B0 24 17 C4 AF 84 C5 7B 25 87 4D 31
: EF 43 E5 E3 3B 51 B3 38 73 B2 7C 08 A9 2C 31 DC
: 4F 2C 57 2C 44 C9 D4 09 B4 69 83 4A 36 BF 08 0E
: E7 00 D6 04 37 6F 40 05 C8 04 68 FD 60 15 FB 99
: [ Another 1 bytes skipped ]
471 21: INTEGER
: 00 82 12 2A D6 3B 97 C1 7F CB 54 37 8C 44 8A 62
: 5C 18 C3 90 A3
494 128: INTEGER
: 26 60 22 D2 E9 17 41 78 78 FC E2 95 63 0C 60 0F
: D8 47 F3 87 41 AC D2 01 2F 1C 26 F3 6D F8 F3 3C
: A3 96 8E 87 B8 31 98 B8 EA FD CF 2F B1 7F F4 F8
: AF 00 C3 60 9B CF 28 D0 85 57 59 26 1F EC EF 75
: CA 67 14 2D DC FE 37 2F 52 DE 18 3D 02 BE 17 46
: EE 5C 82 50 50 06 FC E9 02 C7 C0 FE 83 D2 B9 3B
: 39 DE E9 7A 3E BC 81 91 74 42 18 C7 DA FF 20 13
: B6 28 4B 0C 98 3C 00 76 EB 66 E4 34 DA AD 34 DB
: }
: }
625 132: BIT STRING, encapsulates {
629 128: INTEGER
: 2E A8 B5 AE A2 A4 95 C8 87 67 5E 8E A6 44 5C 5F
: 7E 4C F3 34 FA 33 10 2B 0C B9 C5 E6 43 ED A0 D7
: A9 B4 D1 C4 A9 69 1F 53 84 2D 33 75 1E 4F 29 49
: 96 C8 D5 62 8B F6 F0 52 42 67 0D A5 A9 4A AD 8D
: 78 7F 48 AA 52 F5 72 10 6B E3 EC AE BC 4D 5F 11
: 42 63 E5 B7 4D AF BF E1 93 F8 50 EB 89 D4 F5 D1
: 89 28 1F 44 D1 E2 8F 54 22 8E F6 D4 35 DA F5 09
: E6 2C BA 06 9C 85 48 B2 17 CB 67 B5 01 0E 80 E5
: }
: }
760 487: [3] {
764 483: SEQUENCE {
768 14: SEQUENCE {
770 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
775 1: BOOLEAN TRUE
778 4: OCTET STRING, encapsulates {
780 2: BIT STRING 6 unused bits
: '11'B
: }
: }
784 29: SEQUENCE {
786 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
791 22: OCTET STRING, encapsulates {
793 20: OCTET STRING
: 95 C2 F3 FA 17 56 6A 26 06 3B 69 FD FC E1 34 60
: F8 D1 39 72
: }
: }
815 19: SEQUENCE {
817 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
822 12: OCTET STRING, encapsulates {
824 10: SEQUENCE {
826 8: OBJECT IDENTIFIER emailProtection (1 3 6 1 5 5 7 3 4)
: }
: }
: }
836 31: SEQUENCE {
838 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
843 24: OCTET STRING, encapsulates {
845 22: SEQUENCE {
847 20: [0]
: FF B4 C9 92 9E EC 89 A7 45 C6 AA AE 26 97 20 D1
: 3D 10 DE FC
: }
: }
: }
869 148: SEQUENCE {
872 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
877 140: OCTET STRING, encapsulates {
880 137: SEQUENCE {
883 134: SEQUENCE {
886 131: [0] {
889 128: [0] {
892 62: [6]
: 'http://ionpulse.jdksec.sfbay.sun.com/CertEnroll/'
: 'MS%20CA(1).crl'
956 62: [6]
: 'file://\\IONPULSE.jdksec.sfbay.sun.com\CertEnrol'
: 'l\MS CA(1).crl'
: }
: }
: }
: }
: }
: }
1020 228: SEQUENCE {
1023 8: OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1)
1033 215: OCTET STRING, encapsulates {
1036 212: SEQUENCE {
1039 104: SEQUENCE {
1041 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
1051 92: [6]
: 'http://ionpulse.jdksec.sfbay.sun.com/CertEnroll/'
: 'IONPULSE.jdksec.sfbay.sun.com_MS%20CA(1).crt'
: }
1145 104: SEQUENCE {
1147 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
1157 92: [6]
: 'file://\\IONPULSE.jdksec.sfbay.sun.com\CertEnrol'
: 'l\IONPULSE.jdksec.sfbay.sun.com_MS CA(1).crt'
: }
: }
: }
: }
: }
: }
: }
1251 13: SEQUENCE {
1253 9: OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
1264 0: NULL
: }
1266 257: BIT STRING
: 4D C1 86 11 C1 E8 69 F6 21 D2 72 AD 97 E7 31 53
: 37 16 1B 8D 88 6F A6 EA 0E 56 D9 41 33 7E 19 76
: D5 6B FD 54 CB 86 CE F0 6E 0F 50 5B B2 05 89 13
: AB 83 82 E7 9B 95 71 92 6E D9 C5 0D B1 2E C3 6D
: A3 E3 38 36 69 15 78 5C 92 E8 55 5D 02 CB D6 7C
: 3C 35 4D 62 8E 38 D1 C6 05 55 49 20 46 8A 35 35
: FC 07 7C 55 D9 CD 70 FF E9 3A 2C 22 19 C7 96 BF
: 9D 04 B0 19 26 91 BE 81 25 DC F9 65 63 D6 F9 39
: [ Another 128 bytes skipped ]
: }
0 warnings, 0 errors.
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-