Does the message contain the truncated Issuer Name? If so the error is on the outbound side (which I assume is also WSS4J). WSS4J 1.5.x uses the XMLX509IssuerSerial class in Santuario 1.4.x to constuct the Issuer name, which calls the now denigrated getIssuerDN:

https://svn.apache.org/repos/asf/santuario/xml-security-java/branches/1.4.x-fixes/src/org/apache/xml/security/keys/content/x509/XMLX509IssuerSerial.java

You could check to see if the following code results in the truncated String:

RFC2253Parser.normalize(x509certificate.getIssuerDN().getName());

A workaround is simply to use another way of referencing the certificate on the client side, such as ThumbprintSHA1. I strongly encourage you to upgrade to the latest WSS4J 1.6.x release, where this bug should be fixed.

Colm.



On Wed, Sep 19, 2012 at 10:24 PM, Bennett III, James William <jawbenne@indiana.edu> wrote:

Hello everyone,

 

I work with an application which uses WSS4j version 1.5.11 and we get an exception fairly regularly which seems to truncate the end of the issuer name when it signs a request.  We end up seeing these exceptions thrown on the server when we make a web service call:

 

java.lang.IllegalArgumentException: improperly specified input name: CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,

        at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:150)

        at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:102)

        at org.apache.ws.security.components.crypto.CryptoBase.createBCX509Name(CryptoBase.java:283)

        at org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:335)

        at org.apache.ws.security.components.crypto.CryptoBase.getAliasForX509Cert(CryptoBase.java:300)

        at org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerialAlias(SecurityTokenReference.java:562)

        at org.apache.ws.security.message.token.SecurityTokenReference.getX509IssuerSerial(SecurityTokenReference.java:541)

        at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:377)

        at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:116)

        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)

        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)

        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:219)

        at org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:93)

        at org.kuali.rice.ksb.security.soap.CXFWSS4JInInterceptor.handleMessage(CXFWSS4JInInterceptor.java:41)

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)

        at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:102)

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)

        at org.kuali.rice.ksb.messaging.servlet.CXFServletControllerAdapter.handleRequest(CXFServletControllerAdapter.java:47)

        at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)

        at org.kuali.rice.ksb.messaging.servlet.KSBDispatcherServlet.service(KSBDispatcherServlet.java:138)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

        at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)

        at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)

        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

        at java.lang.Thread.run(Thread.java:662)

Caused by: java.io.IOException: empty AVA in RDN ""

        at sun.security.x509.RDN.<init>(RDN.java:132)

        at sun.security.x509.X500Name.parseDN(X500Name.java:918)

        at sun.security.x509.X500Name.<init>(X500Name.java:148)

        at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:148)

        ... 45 more

 

I checked the keystore and the issuer name is “CN=Foo Bar,OU=Baz,O=Org,L=City,ST=IN,C=US” so it appears that it is truncating the country off of the end but not removing the last comma which causes the name to be invalid.  Has anyone seen anything like this before?  If there’s any other information I can provide please let me know.

 

Thanks,

James 




--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com