Certificate validation using Sun security provider fails DOD PKI tests!

Discussion in 'Java' started by Java Developer, Jun 21, 2004.

  1. We are currently testing compatibility of our application with the
    standard Department of Defense PKI test suite (with which PKI apps
    selling into government organizations need to be compatible). There
    is one test case in the suite that fails verification; it involves a
    certificate with spaces in the issuer's DN. When verifying CRLs, the
    LDAP search that the provider constructs escapes these spaces. The
    LDAP call then complains that this is an invalid format for a DN.

    Our code calls java.security.cert.CertPathValidator.validate() to
    validate the cert. When the Sun security provider subsequently calls
    X500Principal.getName() method as part of the validation process, it
    is using the 'getName' method with 'RFC2253' as the DN format
    specifier, which then returns the 'RFC2253'-formatted DN. The DoD
    LDAP CRL server used in the test suite rejects this DN. If, instead,
    the 'getName' method is forced to return the
    'RFC2253Canonical'-formatted DN (by specifying 'CANONICAL' for the
    format argument), the CRL server is happy. (We've verified this by
    modifying the source for X500Principal, recompiling, and instrumenting
    rt.jar used by the VM.)

    The problem is that there doesn't seem to be a way for the
    applicationi to tell the security provider form of the DN to use.
    Hence we're unable to get the provider to return the DN formatted in a
    way that the DoD LDAP/CRL server is happy. Has anyone run into this
    and had any luck in working around this issue?

    If anyone from Sun is reading this--the current implementation doesn't
    pass the DoD PKI test suites, rendering programs using the Sun
    provider incompatible and unusable in government settings requiring
    strict DoD PKI compliance. Any help in getting this resolved will
    help both of our causes...

    BTW, in the versions the JDK prior to 1.4.2 this seemed to work fine;
    now's it's failing, as described above...

    Any ideas, anyone?

    Thanks in advance,

    Alex
    Java Developer, Jun 21, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    2,851
  2. rop
    Replies:
    0
    Views:
    469
  3. bthumber
    Replies:
    1
    Views:
    729
    Mr. Arnold
    Apr 29, 2009
  4. one
    Replies:
    1
    Views:
    170
  5. dayo
    Replies:
    11
    Views:
    327
    Ilya Zakharevich
    Dec 16, 2005
Loading...

Share This Page