0 Replies Latest reply on Sep 21, 2018 1:34 PM by mchoma

    Certificate was not decoded - no values of attribute [2.5.4.3]

    nikolamnetset
    nikolamnetset Sep 21, 2018 7:53 AM

      I am trying to configure client-cert authentication on WildFly 13. When I generate my certificates using keytool everything works fine,

      but when I generate the same cert with KeyStore Explorer (I am sure they are the same in terms of fields) I get the following log from wildlfy:

       

      09:43:07,034 TRACE [org.wildfly.security] (default task-1) Evidence verification: evidence = org.wildfly.security.evidence.X509PeerCertificateChainEvidence@30529f64  evidencePrincipal = CN=example, OU=asdf, O=asdf, L=asdf, ST=asdf, C=rs

      09:43:07,038 TRACE [org.wildfly.security] (default task-1) X500 principal [CN=example, OU=asdf, O=asdf, L=asdf, ST=asdf, C=rs] was not decoded - no values of attribute [2.5.4.3]

      09:43:07,039 TRACE [org.wildfly.security] (default task-1) Principal assigning: [CN=example, OU=asdf, O=asdf, L=asdf, ST=asdf, C=rs], pre-realm rewritten: [CN=example,OU=asdf,O=asdf,L=asdf,ST=asdf,C=rs], realm name: [QuickstartRealm], post-realm rewritten: [CN=example,OU=asdf,O=asdf,L=asdf,ST=asdf,C=rs], realm rewritten: [CN=example,OU=asdf,O=asdf,L=asdf,ST=asdf,C=rs]

      09:43:07,042 TRACE [org.wildfly.security] (default task-1) X500 principal [CN=example, OU=asdf, O=asdf, L=asdf, ST=asdf, C=rs] was not decoded - no values of attribute [2.5.4.3]

      09:43:07,042 TRACE [org.wildfly.security] (default task-1) Evidence verification failed - alias [CN=example,OU=asdf,O=asdf,L=asdf,ST=asdf,C=rs] does not exist in KeyStore

      09:43:07,042 TRACE [org.wildfly.security.http.cert] (default task-1) X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: false

      09:43:07,043 TRACE [org.wildfly.security.http.cert] (default task-1) Both, re-authentication and authentication, failed

      09:43:07,043 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail

       

      WF is unable to decode my certificate, but here is what it prints as contents of the received certificate:

      [

        Version: V3

        Subject: CN=example, OU=asdf, O=asdf, L=asdf, ST=asdf, C=rs

        Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

       

       

        Key:  Sun RSA public key, 2048 bits

        modulus: 28943634218833075869632324433022151787018384224070249665101807818438202659591156759759666762051504811552492880199168272161250156886273013609997722588165302427369945497172245236093809802284926988359896403558563983410931415513674898937445320875902158179450082720181971760142608638028320883078395306843890675049967571183410745427508478025750573157321256427090420913692249228252176013421163771007476575189291125856362016517284836093451834772827901488798525254587359571783033998088782765150784776005194928828397033440623126660304800406643410145879503565761758203792019679457711082675193630263127610812597559102497541144591

        public exponent: 65537

        Validity: [From: Thu Sep 20 17:18:43 CEST 2018,

                     To: Fri Sep 20 17:18:43 CEST 2019]

        Issuer: CN=example, OU=asdf, O=asdf, L=asdf, ST=asdf, C=rs

        SerialNumber: [    5ba3ba53]

       

       

      Certificate Extensions: 1

      [1]: ObjectId: 2.5.29.14 Criticality=false

      SubjectKeyIdentifier [

      KeyIdentifier [

      0000: 4F 16 F1 44 5D 47 48 CB                            O..D]GH.

      ]

      ]

       

       

      ]

       

      Can you help me?

       

      UPDATE:

      I noticed that there is a difference the type of CN field. The version that works has a PrintableString type for CN field, and the version that doesn't work has UTF8String as a type for CN field.