IZ55794: CONSTRUCTOR X500NAME(STRING DNAME) CHANGES ENCODING OF DOMAIN COMPONENT ATTRIBUTE ("DC") TO PRINTABLESTRING

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • COMPONENT: IBM PKCS
    
    
    APAR Description: Constructor X500Name(String dname) changes
    encoding of Domain Component attribute ("DC") to PrintableString
    (from IA5String) which is not compliant to RFC 2247.
    
    JVM Affected : JDK 142, 50, 60
    

Local fix

  • Level 3 to update
    

Problem summary

  • PKCS:  AVA.java - encode DC attribute as
    IA5String
    
    PROBLEM DESCRIPTION:
    
    Constructor X500Name(String dname) encodes the Domain Component
    attribute("DC")
    as a PrintableString which is not compliant to RFC 2247.
    It should be encoded as an IA5String.
    
    
    JVM Affected : JDK 142, 50, 60
    
    
    The following testcase demonstrates the problem :
    
    import java.io.FileInputStream;
    import java.security.cert.CertificateFactory;
    import java.security.cert.X509Certificate;
    import com.ibm.security.util.DerValue;
    import com.ibm.security.x509.X500Name;
    
    public class test {
    
            public static void main(String[] args) {
            try{
                    FileInputStream is = new
    FileInputStream("Sub1CoperGMPS.cer");
                    CertificateFactory cf =
    CertificateFactory.getInstance("X.509");
                    X509Certificate cert =
    (X509Certificate)cf.generateCertificate(is);
    
                    X500Name name1 = new X500Name
    (cert.getIssuerX500Principal().getEncoded());
                    System.out.println("DN Name string for the
    issuername is:"+ name1);
    
                    System.out.println("Using constructor
    X500Name(byte[] name)");
                    for (int i=0;i<name1.size();i++){
                            int tag =
    name1.getRDN(i).getAVA(0).getDerValue().getTag();
                            if(tag == DerValue.tag_IA5String)
                                    System.out.println("Der encoding
    for RDN : "+name1.getRDN(i).getAVA(0).getName()+" with value
    "+name1.getRDN(i).getAVA(0).getValue()+" is IA5String");
    
                            if(tag == DerValue.tag_PrintableString)
                                    System.out.println("Der encoding
    for RDN : "+name1.getRDN(i).getAVA(0).getName()+" with value
    "+name1.getRDN(i).getAVA(0).getValue()+" is PrintableString");
                    }
    
                    X500Name name = new
    X500Name(cert.getIssuerDN().getName());
                    System.out.println("Using constructor
    X500Name(String dname)");
    
                    for (int i=0;i<name.size();i++){
                           int tag =
    name.getRDN(i).getAVA(0).getDerValue().getTag();
                           if(tag == DerValue.tag_IA5String)
                              System.out.println("Der encoding for
    RDN : "+name.getRDN(i).getAVA(0).getName()+" with value
    "+name.getRDN(i).getAVA(0).getValue()+" is IA5String");
    
                           if(tag == DerValue.tag_PrintableString)
                                System.out.println("Der encoding for
    RDN : "+name.getRDN(i).getAVA(0).getName()+" with value
    "+name.getRDN(i).getAVA(0).getValue()+" is PrintableString");
                    }
            }catch(Exception e){e.printStackTrace();}
    
            }
    }
    
    
    Running the testcase generates the following output :
    
    DN Name string for the issuername is:CN=RootCoperGMPS, DC=local
    Using constructor X500Name(byte[] name)
    Der encoding for RDN : DC with value local is IA5String
    Der encoding for RDN : CN with value RootCoperGMPS is
    PrintableString
    Using constructor X500Name(String dname)
    Der encoding for RDN : DC with value local is PrintableString
    Der encoding for RDN : CN with value RootCoperGMPS is
    PrintableString
    
    Program output shows that the constructor for X500Name(String
    dname) encodes the "DC" attribute's value
    as a PrintableString.
    
    Bacause of this pkcs defect,  a Microsoft application (at
    customer's side) which expects the "DC" attribute
    (present in issuer DN of the certificate) to be encoded as an
    IA5String, does not locate the issuer certificate,
    thereby causing a failure.
    
    The following link explains that Microsoft application expects
    IA5String encoding for attribute "DC" :
    http://msdn.microsoft.com/en-us/library/aa377051(VS.85).aspx
    
    RFC 2247 describes the structure of the Domain Component ("DC")
    attribute as follows:
    
    4. Attribute Type Definition
    
       The DC (short for domainComponent) attribute type is defined
    as
       follows:
    
        ( 0.9.2342.19200300.100.1.25 NAME 'dc' EQUALITY
    caseIgnoreIA5Match
         SUBSTR caseIgnoreIA5SubstringsMatch
    <<-----------   Here it describes it to be in IA5String
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    
       The value of this attribute is a string holding one component
    of a
       domain name.  The encoding of IA5String for use in LDAP is
    simply the
       characters of the string itself.  The equality matching rule
    is case
       insensitive, as is today's DNS.
    

Problem conclusion

  • Fix for the problem is to set IA5String tag before returning
    DerValue for "DC" attribute.
    The following code change in the parseString() method of
    AVA.java resolves the problem and returns
    an IA5String tagged DER value for the "DC" attribute:
    
    if
    ((this.oid.equals(X500Name.emailAddress_oid))||(this.oid.equals(
    X500Name.domainComponent_oid))) {
                            // EmailAddress must be IA5String
                            return new
    DerValue(DerValue.tag_IA5String, temp.toString());
                    } else if (isPrintableString) {
                            return new DerValue(temp.toString());
                    } else {
                            return new
    DerValue(DerValue.tag_UTF8String, temp.toString());
                    }
    
    Similar code has been added to AVA constructors(both
    AVA(InputStream in) and  AVA(Reader in, int format) ) and also
    to parseQuotedString() methods.
    
    Similar code changes are already present for "emailAddress"
    attribute because emailAddress is also expected to be
    encoded as an IA5String.
    
    
    
    Fixes for this APAR have been dropped for:
    - 1.4.2 SR14
    - 5.0 SR11
    - 6.0 SR6
    
    
    The affected Java Security component is "PKCS".  The affected
    jar is "ibmpkcs.jar".
    The Austin CMVC build level associated with this jar is
    20090723.
    The associated Hursley CMVC defect is 153790.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ55794

  • Reported component name

    TIVOLI JAVA PKC

  • Reported component ID

    TIVSECPKC

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-07-23

  • Closed date

    2009-07-30

  • Last modified date

    2009-07-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIVOLI JAVA PKC

  • Fixed component ID

    TIVSECPKC

Applicable component levels

  • R100 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Components - Java Security
PKCS

Software version:

100

Reference #:

IZ55794

Modified date:

2009-07-30

Translate my page

Machine Translation

Content navigation