Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-225

'Unprintable' characters in Distinguished Name causing comparison failure



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.5.8
    • 1.5.9, 1.6
    • None
    • None
    • XP, Java 1.6


      Certain characters used in elements of a DN are considered unprintable as per RFC2252. The underscore '_' character is one of these characters.

      If the certificate is read from a java key store, and using the ((X509Certificate) cert).getSubjectX500Principal() to obtain the X500Principal, and doing a getName(X500Principal.CANONICAL) on it I find that its common name has been hex encoded as follows:


      In the getAlias method of org.apache.ws.security.components.crypto.CryptoBase the equal method of X500Principal is used to compare certificates in a trust store against a given DN.

      The canonical form of the DN is used in this comparison.

      The problem is that the given DN X500Prinicpal object is created using the X500Principal(String DN) constructor. This object results in a canonical name that is not encoded. So the equal comparison fails as the cert from the keystore is encoded and the given one isn't.

      Here's a suggested change that overcomes this problem:

      private Vector getAlias(X500Principal subjectRDN, KeyStore store) throws WSSecurityException {
      // Store the aliases found
      Vector aliases = new Vector();
      Certificate cert = null;

      try {
      for (Enumeration e = store.aliases(); e.hasMoreElements() {
      String alias = (String) e.nextElement();

      Certificate[] certs = store.getCertificateChain(alias);
      if (certs == null || certs.length == 0) {
      // no cert chain, so lets check if getCertificate gives us a result.
      cert = store.getCertificate(alias);
      if (cert == null)

      { return null; }

      certs = new Certificate[]


      } else

      { cert = certs[0]; }

      if (cert instanceof X509Certificate) {
      X500Principal foundRDN = ((X509Certificate) cert).getSubjectX500Principal();
      X500Principal foundRDNUnencoded = new X500Principal(foundRDN.getName(X500Principal.RFC1779));

      if (subjectRDN.equals(foundRDNUnencoded))

      { aliases.add(alias); }

      } catch (KeyStoreException e)

      { throw new WSSecurityException( WSSecurityException.FAILURE, "keystore", null, e ); }

      return aliases;




            coheigea Colm O hEigeartaigh
            tradertom Tom Trader
            0 Vote for this issue
            0 Start watching this issue