ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Issuer name getting truncated
Date Thu, 20 Sep 2012 10:00:56 GMT
Does the message contain the truncated Issuer Name? If so the error is on
the outbound side (which I assume is also WSS4J). WSS4J 1.5.x uses the
XMLX509IssuerSerial class in Santuario 1.4.x to constuct the Issuer name,
which calls the now denigrated getIssuerDN:

https://svn.apache.org/repos/asf/santuario/xml-security-java/branches/1.4.x-fixes/src/org/apache/xml/security/keys/content/x509/XMLX509IssuerSerial.java

You could check to see if the following code results in the truncated
String:

RFC2253Parser.normalize(x509certificate.getIssuerDN().getName());

A workaround is simply to use another way of referencing the certificate on
the client side, such as ThumbprintSHA1. I strongly encourage you to
upgrade to the latest WSS4J 1.6.x release, where this bug should be fixed.

Colm.



On Wed, Sep 19, 2012 at 10:24 PM, Bennett III, James William <
jawbenne@indiana.edu> wrote:

>  Hello everyone,****
>
> ** **
>
> I work with an application which uses WSS4j version 1.5.11 and we get an
> exception fairly regularly which seems to truncate the end of the issuer
> name when it signs a request.  We end up seeing these exceptions thrown on
> the server when we make a web service call:****
>
> ** **
>
> java.lang.IllegalArgumentException: improperly specified input name:
> CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,****
>
>         at
> javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)****
>
>         at
> javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)****
>
>         at
> org.apache.ws.security.components.crypto.CryptoBase.createBCX509Name(CryptoBase.java:283)
> ****
>
>         at
> org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:335)
> ****
>
>         at
> org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:300)
> ****
>
>         at
> org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:562)
> ****
>
>         at
> org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:541)
> ****
>
>         at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:377)
> ****
>
>         at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:116)
> ****
>
>         at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
> ****
>
>         at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
> ****
>
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:219)
> ****
>
>         at
> org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:93)
> ****
>
>         at
> org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:41)
> ****
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
> ****
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
> ****
>
>         at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:102)
> ****
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)
> ****
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
> ****
>
>         at
> org.kuali.rice.ksb.messaging.servlet.CXFServletControllerAdapter.handleRequest(CXFServletControllerAdapter.java:47)
> ****
>
>         at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
> ****
>
>         at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)
> ****
>
>         at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)
> ****
>
>         at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
> ****
>
>         at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)
> ****
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)***
> *
>
>         at
> org.kuali.rice.ksb.messaging.servlet.KSBDispatcherServlet.service(KSBDispatcherServlet.java:138)
> ****
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)***
> *
>
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> ****
>
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> ****
>
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
> ****
>
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
> ****
>
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> ****
>
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
> ****
>
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
> ****
>
>         at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)*
> ***
>
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> ****
>
>         at
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
> ****
>
>         at
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
> ****
>
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> ****
>
>         at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
> ****
>
>         at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
> ****
>
>         at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
> ****
>
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> ****
>
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> ****
>
>         at java.lang.Thread.run(Thread.java:662)****
>
> Caused by: java.io.IOException: empty AVA in RDN ""****
>
>         at sun.security.x509.RDN.<init>(RDN.java:132)****
>
>         at sun.security.x509.X500Name.parseDN(X500Name.java:918)****
>
>         at sun.security.x509.X500Name.<init>(X500Name.java:148)****
>
>         at
> javax.security.auth.x500.X500Principal.<init>(X500Principal.java:148)****
>
>         ... 45 more****
>
> ** **
>
> I checked the keystore and the issuer name is “CN=Foo
> Bar,OU=Baz,O=Org,L=City,ST=IN,C=US” so it appears that it is truncating the
> country off of the end but not removing the last comma which causes the
> name to be invalid.  Has anyone seen anything like this before?  If there’s
> any other information I can provide please let me know.****
>
> ** **
>
> Thanks,****
>
> James  ****
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message