Skip to main content

IZ55794: CONSTRUCTOR X500NAME(STRING DNAME) CHANGES ENCODING OF DOMAIN COMPONENT ATTRIBUTE ("DC") TO PRINTABLESTRING


Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • COMPONENT: IBM PKCS


APAR Description: Constructor X500Name(String dname) changes
encoding of Domain Component attribute ("DC") to PrintableString
(from IA5String) which is not compliant to RFC 2247.

JVM Affected : JDK 142, 50, 60

Local fix

  • Level 3 to update

Problem summary

  • PKCS:  AVA.java - encode DC attribute as
IA5String

PROBLEM DESCRIPTION:

Constructor X500Name(String dname) encodes the Domain Component
attribute("DC")
as a PrintableString which is not compliant to RFC 2247.
It should be encoded as an IA5String.


JVM Affected : JDK 142, 50, 60


The following testcase demonstrates the problem :

import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import com.ibm.security.util.DerValue;
import com.ibm.security.x509.X500Name;

public class test {

        public static void main(String[] args) {
        try{
                FileInputStream is = new
FileInputStream("Sub1CoperGMPS.cer");
                CertificateFactory cf =
CertificateFactory.getInstance("X.509");
                X509Certificate cert =
(X509Certificate)cf.generateCertificate(is);

                X500Name name1 = new X500Name
(cert.getIssuerX500Principal().getEncoded());
                System.out.println("DN Name string for the
issuername is:"+ name1);

                System.out.println("Using constructor
X500Name(byte[] name)");
                for (int i=0;i<name1.size();i++){
                        int tag =
name1.getRDN(i).getAVA(0).getDerValue().getTag();
                        if(tag == DerValue.tag_IA5String)
                                System.out.println("Der encoding
for RDN : "+name1.getRDN(i).getAVA(0).getName()+" with value
"+name1.getRDN(i).getAVA(0).getValue()+" is IA5String");

                        if(tag == DerValue.tag_PrintableString)
                                System.out.println("Der encoding
for RDN : "+name1.getRDN(i).getAVA(0).getName()+" with value
"+name1.getRDN(i).getAVA(0).getValue()+" is PrintableString");
                }

                X500Name name = new
X500Name(cert.getIssuerDN().getName());
                System.out.println("Using constructor
X500Name(String dname)");

                for (int i=0;i<name.size();i++){
                       int tag =
name.getRDN(i).getAVA(0).getDerValue().getTag();
                       if(tag == DerValue.tag_IA5String)
                          System.out.println("Der encoding for
RDN : "+name.getRDN(i).getAVA(0).getName()+" with value
"+name.getRDN(i).getAVA(0).getValue()+" is IA5String");

                       if(tag == DerValue.tag_PrintableString)
                            System.out.println("Der encoding for
RDN : "+name.getRDN(i).getAVA(0).getName()+" with value
"+name.getRDN(i).getAVA(0).getValue()+" is PrintableString");
                }
        }catch(Exception e){e.printStackTrace();}

        }
}


Running the testcase generates the following output :

DN Name string for the issuername is:CN=RootCoperGMPS, DC=local
Using constructor X500Name(byte[] name)
Der encoding for RDN : DC with value local is IA5String
Der encoding for RDN : CN with value RootCoperGMPS is
PrintableString
Using constructor X500Name(String dname)
Der encoding for RDN : DC with value local is PrintableString
Der encoding for RDN : CN with value RootCoperGMPS is
PrintableString

Program output shows that the constructor for X500Name(String
dname) encodes the "DC" attribute's value
as a PrintableString.

Bacause of this pkcs defect,  a Microsoft application (at
customer's side) which expects the "DC" attribute
(present in issuer DN of the certificate) to be encoded as an
IA5String, does not locate the issuer certificate,
thereby causing a failure.

The following link explains that Microsoft application expects
IA5String encoding for attribute "DC" :
http://msdn.microsoft.com/en-us/library/aa377051(VS.85).aspx

RFC 2247 describes the structure of the Domain Component ("DC")
attribute as follows:

4. Attribute Type Definition

   The DC (short for domainComponent) attribute type is defined
as
   follows:

    ( 0.9.2342.19200300.100.1.25 NAME 'dc' EQUALITY
caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
<<-----------   Here it describes it to be in IA5String
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

   The value of this attribute is a string holding one component
of a
   domain name.  The encoding of IA5String for use in LDAP is
simply the
   characters of the string itself.  The equality matching rule
is case
   insensitive, as is today's DNS.

Problem conclusion

  • Fix for the problem is to set IA5String tag before returning
DerValue for "DC" attribute.
The following code change in the parseString() method of
AVA.java resolves the problem and returns
an IA5String tagged DER value for the "DC" attribute:

if
((this.oid.equals(X500Name.emailAddress_oid))||(this.oid.equals(
X500Name.domainComponent_oid))) {
                        // EmailAddress must be IA5String
                        return new
DerValue(DerValue.tag_IA5String, temp.toString());
                } else if (isPrintableString) {
                        return new DerValue(temp.toString());
                } else {
                        return new
DerValue(DerValue.tag_UTF8String, temp.toString());
                }

Similar code has been added to AVA constructors(both
AVA(InputStream in) and  AVA(Reader in, int format) ) and also
to parseQuotedString() methods.

Similar code changes are already present for "emailAddress"
attribute because emailAddress is also expected to be
encoded as an IA5String.



Fixes for this APAR have been dropped for:
- 1.4.2 SR14
- 5.0 SR11
- 6.0 SR6


The affected Java Security component is "PKCS".  The affected
jar is "ibmpkcs.jar".
The Austin CMVC build level associated with this jar is
20090723.
The associated Hursley CMVC defect is 153790.

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IZ55794
    •  
    
  • Reported component name
    TIVOLI JAVA PKC
    •  
    
  • Reported component ID
    TIVSECPKC
    •  
    
  • Reported release
    100
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2009-07-23
    •  
    
  • Closed date
    2009-07-30
    •  
    
  • Last modified date
    2009-07-30
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    TIVOLI JAVA PKC
    •  
   
  • Fixed component ID
    TIVSECPKC
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R100 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
Tivoli Components - Java Security


	
PKCS


	




	
Software version:

	100

	





	
Reference #:

IZ55794






Modified date:

2009-07-30








Translate my page














































 



Content navigation