1 Reply Latest reply on Jul 9, 2008 3:13 AM by Alessio Soldano

    X509 Certificate issuer comparison

    Alessio Soldano Master

      Grant Sheppar says:

      Hi Alessio,

      I'm relatively new to JBoss so I'm not sure whether what I've found is a bug however it seems to be. In the org.jboss.ws.extensions.security.SecurityStore class there is a method getCertificateByIssuerSerial(String issuer, String serial) that attempts to find a X509Certificate based on the given issuer and serial. The method iterates over the stored certificates and compare the issuer and serial given with the issuer and serial from each certificate. The comparison of the issuer (based on the DN of the cert) is a simple string comparison which does not take into account the various formats that a DN can take (see RFC 2253). So if a client sends an issuer DN that is not identical to one stored in a cert then the match fails.

      The solution I think would be to take the component parts of the DN and do the comparison based on these individual parts, ignoring any separator characters or extra whitespace.

      Hope this makes sense and helps,

      Regards,

      Grant Sheppard