Major Description
Certain characters used in elements of a DN are considered unprintable as per RFC2252. The underscore '_' character is one of these characters.
If the certificate is read from a java key store, and using the ((X509Certificate) cert).getSubjectX500Principal() to obtain the X500Principal, and doing a getName(X500Principal.CANONICAL) on it I find that its common name has been hex encoded as follows:
cn=#14076d795f74657374
In the getAlias method of org.apache.ws.security.components.crypto.CryptoBase the equal method of X500Principal is used to compare certificates in a trust store against a given DN.
The canonical form of the DN is used in this comparison.
The problem is that the given DN X500Prinicpal object is created using the X500Principal(String DN) constructor. This object results in a canonical name that is not encoded. So the equal comparison fails as the cert from the keystore is encoded and the given one isn't.
Here's a suggested change that overcomes this problem:
private Vector getAlias(X500Principal subjectRDN, KeyStore store) throws WSSecurityException {
// Store the aliases found
Vector aliases = new Vector();
Certificate cert = null;
try {
for (Enumeration e = store.aliases(); e.hasMoreElements()
{
String alias = (String) e.nextElement();
Certificate[] certs = store.getCertificateChain(alias);
if (certs == null || certs.length == 0) {
// no cert chain, so lets check if getCertificate gives us a result.
cert = store.getCertificate(alias);
if (cert == null)
certs = new Certificate[]
{cert};
} else
if (cert instanceof X509Certificate) {
X500Principal foundRDN = ((X509Certificate) cert).getSubjectX500Principal();
X500Principal foundRDNUnencoded = new X500Principal(foundRDN.getName(X500Principal.RFC1779));
if (subjectRDN.equals(foundRDNUnencoded))
{ aliases.add(alias); } }
}
} catch (KeyStoreException e)
return aliases;
}