qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michal Zerola (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-4875) [Java] The parsing logic for certificate subjects doesn't work properly in all cases
Date Fri, 24 May 2013 14:08:42 GMT

    [ https://issues.apache.org/jira/browse/QPID-4875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13666337#comment-13666337

Michal Zerola commented on QPID-4875:

I have created the patch which integrates the functionality from SSLUtil and ExternalSaslServer
into the new static method of SSLUtil:

*public static String getIdFromSubject(String subject)*

At the same time I have implemented DN parsing which fixes the problem with e.g. injected
CN inside OU field.
Please take a look at the attached patch.

> [Java] The parsing logic for certificate subjects doesn't work properly in all cases
> ------------------------------------------------------------------------------------
>                 Key: QPID-4875
>                 URL: https://issues.apache.org/jira/browse/QPID-4875
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker, Java Client, Java Common
>            Reporter: JAkub Scholz
>            Priority: Minor
>             Fix For: Future
>         Attachments: cert_parsing.patch
> The Java code seems to contain two places where the certificate subjects are being parsed.
One is used in the client:
> {{common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java}}
> and the second is used in the broker:
> {{broker/src/main/java/org/apache/qpid/server/security/auth/sasl/external/ExternalSaslServer.java}}
> Both are actually doing the same - extracting the CN and DC components from the subject
and creating the username. It should be reconsidered whether we want to reuse the SSLUtil
functionality from the common part of the code in the broker code as well.
> However, a bigger problem is that the implementation in both places are not working correctly
in all situations. One can very easily create a certificate with a subject / DN like this:
> such certificate actually doesn't contain a CN. But both current implementations will
still identify the CN as {{GLKXV_GLKXVALBBDBGEN1"}} in the code. I would expect that this
will happen only in very rare cases, but it should still be handled properly.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message