Certificate validation using Sun security provider fails DOD PKI tests!

J

Java Developer

We are currently testing compatibility of our application with the
standard Department of Defense PKI test suite (with which PKI apps
selling into government organizations need to be compatible). There
is one test case in the suite that fails verification; it involves a
certificate with spaces in the issuer's DN. When verifying CRLs, the
LDAP search that the provider constructs escapes these spaces. The
LDAP call then complains that this is an invalid format for a DN.

Our code calls java.security.cert.CertPathValidator.validate() to
validate the cert. When the Sun security provider subsequently calls
X500Principal.getName() method as part of the validation process, it
is using the 'getName' method with 'RFC2253' as the DN format
specifier, which then returns the 'RFC2253'-formatted DN. The DoD
LDAP CRL server used in the test suite rejects this DN. If, instead,
the 'getName' method is forced to return the
'RFC2253Canonical'-formatted DN (by specifying 'CANONICAL' for the
format argument), the CRL server is happy. (We've verified this by
modifying the source for X500Principal, recompiling, and instrumenting
rt.jar used by the VM.)

The problem is that there doesn't seem to be a way for the
applicationi to tell the security provider form of the DN to use.
Hence we're unable to get the provider to return the DN formatted in a
way that the DoD LDAP/CRL server is happy. Has anyone run into this
and had any luck in working around this issue?

If anyone from Sun is reading this--the current implementation doesn't
pass the DoD PKI test suites, rendering programs using the Sun
provider incompatible and unusable in government settings requiring
strict DoD PKI compliance. Any help in getting this resolved will
help both of our causes...

BTW, in the versions the JDK prior to 1.4.2 this seemed to work fine;
now's it's failing, as described above...

Any ideas, anyone?

Thanks in advance,

Alex
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top