Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Certificate validation using Sun security provider fails DOD PKI tests!

Reply
Thread Tools

Certificate validation using Sun security provider fails DOD PKI tests!

 
 
Java Developer
Guest
Posts: n/a
 
      06-21-2004
We are currently testing compatibility of our application with the
standard Department of Defense PKI test suite (with which PKI apps
selling into government organizations need to be compatible). There
is one test case in the suite that fails verification; it involves a
certificate with spaces in the issuer's DN. When verifying CRLs, the
LDAP search that the provider constructs escapes these spaces. The
LDAP call then complains that this is an invalid format for a DN.

Our code calls java.security.cert.CertPathValidator.validate() to
validate the cert. When the Sun security provider subsequently calls
X500Principal.getName() method as part of the validation process, it
is using the 'getName' method with 'RFC2253' as the DN format
specifier, which then returns the 'RFC2253'-formatted DN. The DoD
LDAP CRL server used in the test suite rejects this DN. If, instead,
the 'getName' method is forced to return the
'RFC2253Canonical'-formatted DN (by specifying 'CANONICAL' for the
format argument), the CRL server is happy. (We've verified this by
modifying the source for X500Principal, recompiling, and instrumenting
rt.jar used by the VM.)

The problem is that there doesn't seem to be a way for the
applicationi to tell the security provider form of the DN to use.
Hence we're unable to get the provider to return the DN formatted in a
way that the DoD LDAP/CRL server is happy. Has anyone run into this
and had any luck in working around this issue?

If anyone from Sun is reading this--the current implementation doesn't
pass the DoD PKI test suites, rendering programs using the Sun
provider incompatible and unusable in government settings requiring
strict DoD PKI compliance. Any help in getting this resolved will
help both of our causes...

BTW, in the versions the JDK prior to 1.4.2 this seemed to work fine;
now's it's failing, as described above...

Any ideas, anyone?

Thanks in advance,

Alex
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: disk wipe---DOD short wipe versus DOD long wipe John O A+ Certification 0 06-13-2008 01:52 AM
Re: disk wipe---DOD short wipe versus DOD long wipe John O A+ Certification 1 06-05-2008 12:02 AM
signing and encrypting using PKI certificate (not authenticode) one ASP .Net Security 1 06-19-2006 09:13 PM
Using a PKI or Certificate to script web.config configuration data rop ASP .Net 0 06-13-2006 07:19 AM
OT PKI / Certificate services Rick MCSE 24 06-24-2004 08:38 PM



Advertisments