Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-1956

EJBCA doesn't handle well SCEP request with multivalue relative distinguishable name with a space in it

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 4.0.0
    • Fix Version/s: EJBCA 4.0.0
    • Component/s: Protocols
    • Labels:
      None

      Description

      I believe this issue could be reproduced by other means than sending SCEP request.

      1) SCEP request contains multivalue relative distinguishable name. As example
      "CN=Test+SomeAttr=AttrValue1 AttrValue2"

      2) The code eventually will go to getUsername() method in \ejbca\src\java\org\ejbca\core\protocol\PKCS10RequestMessage.java
      This methods calls CertTools.getPartFromDN(getRequestDN(), "CN");
      Returned value will be "Test+SomeAttr=AttrValue1 AttrValue2"

      3) getUserName will execute following code, which will return "Test+SomeAttr=AttrValue1" as a username, instead of "Test".

      // Special if the DN contains unstructuredAddress where it becomes:
      // CN=pix.primekey.se + unstructuredAddress=pix.primekey.se
      // We only want the CN and not the oid-part.
      String ret = name;
      if (name != null) {
      int index = name.indexOf(' ');
      if (index > 0)

      { ret = name.substring(0, index); }

      else {
      // Perhaps there is no space, only +
      index = name.indexOf('+');
      if (index > 0)

      { ret = name.substring(0, index); }


      }
      }

      I believe this piece of code in item 3) is problematic code. It handles some subcase of RDN (with unstructedAddress), but it doesn't handle all of them.

      I believe there could be a better solution, than calling CertTools.getPartFromDN and doing additional processing on it.

      Something like this should work and handle all cases, which are handled by Bouncy Castle.
      Sorry, I didn't debug this code, because of lack of time.

      public String getUsername() {
      if (username != null)

      { return username; }

      X509Name xname = getRequestX509Name();
      Vector cnValues = xname.getValues(X509Name.CN);

      if (cnValues.size() == 0)

      { log.error("No CN in DN: "); return null; }

      return cnValues.firstElement().toString();
      }

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              vronin Victor Ronin
              Verified by:
              Johan Eklund
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: