[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: [JLDAP] Store X509 object programmatically



Hi Diego,
    I have verified the added certificate in my configuration. I used
Novell ConsoleOne to validate it and its showing that the added
certificate is a valid one.

As far as the seocnd problem reported by you i.e AttributeSet.add
(LDAPAttribute) returns false. I looked at it and found that the
Documentation in JavaDoc for attributeSet.add method is wrong. In
javaDoc they have specifed that:
add() method will  "return true if the attribute was added."

Whereas actually it should be:-
" return true if there was already a  previous value(non-null) for the
specified attribute  in the attribute set ."

Also I have found one more wrong statement in the JavaDoc.They have
mentioed :
     * Adds the specified attribute to this set if it is not already
present.
     * <p>If an attribute with the same name already exists in the set
then the
     * specified attribute will not be added.</p>

Whereas  it should be:-
     * Adds the specified attribute to this set if it is not already
present.
     * <p>If an attribute with the same name already exists in the set
then the
     * old specified value for the attribute will be replaced by the
new Value..</p>


Here is the modified JavaDoc which I am planning to checkin ,Steve/Anil
 can you verify this and let me know before I checkin.
    /**
     * Adds the specified attribute to this set if it is not already
present.
     * <p>If an attribute with the same name already exists in the set
then the
     * old specified value for the attribute will be replaced by the
new Value..</p>
     *
     * @param attr   Object of type <code>LDAPAttribute</code>
     *
     * @return true if there was already a  previous value(non-null)
for the specified
     *                       attribute  in the attribute set .
     *
     * @throws ClassCastException occurs the specified Object
     * is not of type <code>LDAPAttribute</code>.
     */


Regards,
-Sunil.

>>> Diego Pietralunga <diego@ltt.it> 8/25/2003 7:55:59 PM >>>
Hi Sunil, thanks a lot for your time.

I've been investigating this issue so far...

Well... it's really strange... 
First let me say that I had some strange glitches during
experimentation, so I have a little doubt about my configuration,
anyway...

I JUST found out that the (my/your) original code seems to work!

I mean that querying OpenLDAP with the ldapsearch tool, I can see the
userCertificate entry. (I'm attaching an example inline at the bottom)
While the LDAP Browser/editor can't' see it (throws a
CertificateParsingException... mmhhh, that's fishy)

So, I don't know if my certificate entries are valid; I tried to look
up
some addresses with Mozilla Messenger and Outlook but found no entries
(looked for "Smith").But maybe that's mean nothing...

The strange things on the programmatic side are:

1) Looks like that Nikita Bige's suggestion must be followed (append
";binary" to the entry name).

2) AttributeSet.add (LDAPAttribute) returns a boolean; this boolean is
always false when I add the certificate attribute and the connection
to
the server is established AFTER that check... I mean that return value
is produced with no server intervention at that time (this should
exclude a bug/error on the server side)... BUT (via command line) the
certificate was ADDED.
And no exceptions are thrown.
/*
Like this:
	boolean added = attributeSet.add(cert);
	System.out.println("Certificate:\n" + "added=" +added );
Prints: added=false;
*/


I don't know if this is a Java problem or what...





/* Snippet of the result (2 shown here) of the ldapsearch query */
/**********************************************************/

# JSmith Wilson 21, my-domain.com
dn: cn=JSmith Wilson 21,dc=my-domain,dc=com
userCertificate;binary::
MIIEljCCA36gAwIBAgICAZowDQYJKoZIhvcNAQEFBQAwXzEYMBYGC

SqGSIb3DQEJARYJY2FAbHR0Lml0MQ8wDQYDVQQDEwZDQSBMVFQxFzAVBgNVBAsTDmZpcm1hIGRpZ2

l0YWxlMQwwCgYDVQQKEwNMVFQxCzAJBgNVBAYTAklUMB4XDTAzMDUxNTEzMDY1NloXDTA0MDUxNDE

zMDY1NlowgYoxGzAZBgkqhkiG9w0BCQEWDGRpZWdvQGx0dC5pdDErMCkGA1UEAxMiUGlldHJhbHVu

Z2EvRGllZ28vUFRSREdJNzRIMThHMzM3UjEgMB4GA1UECxMXc3ZpbHVwcG8gZmlybWEgZGlnaXRhb

GUxDzANBgNVBAoTBkxUVCBDUTELMAkGA1UEBhMCSVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo

GBAMHNYDVjg3D9lEMRpa7xCJIwx+NbnntX0n7MxxFmxDiMLBliuC/IrEl3wXCh7crgZpY/Qio0Qez

hl7ZgDrN2BwvMG7MeOh1NOJTE0cdOLFNSLX/E6QTKpg6zxmlkLM9YLl4cTnP3oK56iAYFTlj5pBfy

FhLyTuq5azmzxIoz2jaRAgMBAAGjggGyMIIBrjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFo

DALBgNVHQ8EBAMCBsAwIwYJYIZIAYb4QgENBBYWFExUVCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDg

QWBBT4mh1sf65EL/QDXCAUFE0Z9snP6zCBiAYDVR0jBIGAMH6AFCdAgXe3AZxcoOnj0Z1+y5pA07i

NoWOkYTBfMRgwFgYJKoZIhvcNAQkBFgljYUBsdHQuaXQxDzANBgNVBAMTBkNBIExUVDEXMBUGA1UE

CxMOZmlybWEgZGlnaXRhbGUxDDAKBgNVBAoTA0xUVDELMAkGA1UEBhMCSVSCAQAwCQYDVR0RBAIwA

DAJBgNVHRIEAjAAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2Fjcm

wuY3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2FjcmwuY3JsMDY

GCWCGSAGG+EIBBwQpFidodHRwczovL2RpZ2lzaWduLmx0dC5pdC9jYS9yZXF1ZXN0Lmh0bWwwDQYJ

KoZIhvcNAQEFBQADggEBAJ2BRQb8f5BUagm9jIaheDoc3Xx+7Jmk9cVuWaiK8WnJxOIcdzK89zJhT

wVX7WFK7/HqgwlQmVpVp68t7KlcOdiXZhQQWFM7xGGHa8R8io6LStf9C71KBvaXtkg29BKtbJPTlE

GDGy2tDrj9TRWBA9BXyxaRWcxxr1j/LR5Vr9wttHpX/FEfsQr+JoFDNRWS0z/uToZ8OM7ofWwy/ZN

87shpE9Sw2oD1lHptaSEVLID58jZ0xIC3wgvNfPww2191iFrCaVVeFS9Zsf9lVq7Fr9IBc7xxBnt+
 LpD89VZq40VhK6uJYoz2ZKjPEvq+JabmuyF7pxvwasm6+UNtsNB9V1E=
userPassword:: bmV3cGFzc3dvcmQ=
telephoneNumber: 1 801 555 1212
cn: JamesWilson  Smith
cn: Jim W. Smith
cn: Jimmy W. Smith
givenName: James
givenName: Jim
givenName: Jimmy
objectClass: inetOrgPerson
mail: JSmith@Acme.com 
sn: Smith

# JSmith Wilson 25, my-domain.com
dn: cn=JSmith Wilson 25,dc=my-domain,dc=com
userCertificate;binary::
MIIEljCCA36gAwIBAgICAZowDQYJKoZIhvcNAQEFBQAwXzEYMBYGC

SqGSIb3DQEJARYJY2FAbHR0Lml0MQ8wDQYDVQQDEwZDQSBMVFQxFzAVBgNVBAsTDmZpcm1hIGRpZ2

l0YWxlMQwwCgYDVQQKEwNMVFQxCzAJBgNVBAYTAklUMB4XDTAzMDUxNTEzMDY1NloXDTA0MDUxNDE

zMDY1NlowgYoxGzAZBgkqhkiG9w0BCQEWDGRpZWdvQGx0dC5pdDErMCkGA1UEAxMiUGlldHJhbHVu

Z2EvRGllZ28vUFRSREdJNzRIMThHMzM3UjEgMB4GA1UECxMXc3ZpbHVwcG8gZmlybWEgZGlnaXRhb

GUxDzANBgNVBAoTBkxUVCBDUTELMAkGA1UEBhMCSVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo

GBAMHNYDVjg3D9lEMRpa7xCJIwx+NbnntX0n7MxxFmxDiMLBliuC/IrEl3wXCh7crgZpY/Qio0Qez

hl7ZgDrN2BwvMG7MeOh1NOJTE0cdOLFNSLX/E6QTKpg6zxmlkLM9YLl4cTnP3oK56iAYFTlj5pBfy

FhLyTuq5azmzxIoz2jaRAgMBAAGjggGyMIIBrjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFo

DALBgNVHQ8EBAMCBsAwIwYJYIZIAYb4QgENBBYWFExUVCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDg

QWBBT4mh1sf65EL/QDXCAUFE0Z9snP6zCBiAYDVR0jBIGAMH6AFCdAgXe3AZxcoOnj0Z1+y5pA07i

NoWOkYTBfMRgwFgYJKoZIhvcNAQkBFgljYUBsdHQuaXQxDzANBgNVBAMTBkNBIExUVDEXMBUGA1UE

CxMOZmlybWEgZGlnaXRhbGUxDDAKBgNVBAoTA0xUVDELMAkGA1UEBhMCSVSCAQAwCQYDVR0RBAIwA

DAJBgNVHRIEAjAAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2Fjcm

wuY3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2FjcmwuY3JsMDY

GCWCGSAGG+EIBBwQpFidodHRwczovL2RpZ2lzaWduLmx0dC5pdC9jYS9yZXF1ZXN0Lmh0bWwwDQYJ

KoZIhvcNAQEFBQADggEBAJ2BRQb8f5BUagm9jIaheDoc3Xx+7Jmk9cVuWaiK8WnJxOIcdzK89zJhT

wVX7WFK7/HqgwlQmVpVp68t7KlcOdiXZhQQWFM7xGGHa8R8io6LStf9C71KBvaXtkg29BKtbJPTlE

GDGy2tDrj9TRWBA9BXyxaRWcxxr1j/LR5Vr9wttHpX/FEfsQr+JoFDNRWS0z/uToZ8OM7ofWwy/ZN

87shpE9Sw2oD1lHptaSEVLID58jZ0xIC3wgvNfPww2191iFrCaVVeFS9Zsf9lVq7Fr9IBc7xxBnt+
 LpD89VZq40VhK6uJYoz2ZKjPEvq+JabmuyF7pxvwasm6+UNtsNB9V1E=
userPassword:: bmV3cGFzc3dvcmQ=
telephoneNumber: 1 801 555 1212
cn: JamesWilson  Smith
cn: Jim W. Smith
cn: Jimmy W. Smith
givenName: James
givenName: Jim
givenName: Jimmy
objectClass: inetOrgPerson
mail: JSmith@Acme.com 
sn: Smith

# search result
search: 2
result: 0 Success

# numResponses: 21
# numEntries: 20

/*********************************************************/








Il lun, 2003-08-25 alle 13:41, Sunil Kumar ha scritto:
> Hi Diego,
>   I tried to do the same thing but am able to add it
successfully.Only
> differnce was that I used eDirectory as an ldap server where I have
> added the entry.
> 
> I have attached the sample code with this mail which I used to add
the
> entry with the certficate. Have a look at it and let me know if this
> doesn't help you.
> 
> I used ldapsearch command line tool to verify whether the
> usercertifcate tatribute conatins any value or not. I have attached
a
> text file containing the search result.
> 
> 
> Regards,
> -Sunil
> 
> 
> >>> Anil Kumar Kommuri 8/25/2003 3:26:25 PM >>>
> JLDAP query.  
> regards
> anil.
> 
> >>> Diego Pietralunga <diego@ltt.it> 25-Aug-03 3:08:48 PM >>>
> Hello everybody,
> 
> first post!
> Hope this is not OT.
> 
> 
> I'm trying to use Novell JLDAP API (June 04, 2003 release) to
> interface
> to OpenLDAP 2.1.10 on a RH 8.0 linux box.
> 
> Standard operations seem to work, but I could not get to store a
> X509Certificate object, based on the AddEntry.java example.
> I can add the entry (used userCertificate and userSMIMECertificate)
> but
> the value shown is '0'.
> I'm _quite_ sure I passed the X509 as DER...
> I tried both the constructor, LDAPAttribute(Object,byte[]) and the
> method addValue(byte[]).
> 
> 
> Looks like it's not converted to BINARY...
> 
> Oddly, the password object is marked as binary (used LDAP
> browser/editor
> to check)
> 
> 
> Can anyone help?
> 
> 
> Here's my code snippet:
> /****************************************************************/
> 
> /*
> Get the certificate, connection, etc...
> Then...
> */
> 
>  LDAPConnection lc = new LDAPConnection();
> 	 LDAPAttribute  attribute = null;
> 	 LDAPAttributeSet attributeSet = new LDAPAttributeSet();
> 
>      
>       	 attributeSet.add( new LDAPAttribute( 
> 						  "objectclass", new
> String("inetOrgPerson")));                
> 	 attributeSet.add( new LDAPAttribute("cn", 
> 			 new String[]{"JamesWilson  Smith", "Jim W.
> Smith", "Jimmy W.
> Smith"}));               
> 	 attributeSet.add( new LDAPAttribute("givenname",
> 							  new
> String[]{"James", "Jim", "Jimmy" }));        
> 	 attributeSet.add( new LDAPAttribute("sn", new
> String("Smith")));        
> 	 attributeSet.add( new LDAPAttribute("telephonenumber",
>
										
> new String("1 801 555
> 1212")));                                                     
> 	 attributeSet.add( new LDAPAttribute("mail", 
>
										new
> String("JSmith@Acme.com")));
>
										
> 			LDAPAttribute pwd =
> null;							
> 	 attributeSet.add( pwd = new LDAPAttribute("userpassword", 
>
											new
> String("newpassword")));     //This one becomes BINARY
> when stored, //but it's a normal string in the constructor.
>                                       
> 
> 	LDAPAttribute cert = null;
> 	
> 	
>  try {
> 	byte[] crtBytes = certif.getEncoded(); // gets the DER version
> of the
> X509 - IAIK JCE library
> 
> 	
> 	cert = new LDAPAttribute("userCertificate",crtBytes);
> 	// or userSMIMECertificate
> 	
>      //cert.addValue(crtBytes);
> 	boolean added = attributeSet.add(cert);
> 	    
> 	System.out.println("Certificate:\n" + "added=" +added + "\n" +
> cert.toString() +"\n\npwd=" + pwd.toString());
> 	
> 	                                            
>                                                
> 	 String  dn  = "cn=JSmith Wilson 13," + containerName;      
> 	 LDAPEntry newEntry = new LDAPEntry( dn, attributeSet );
> 
> 	 try {
> 		 // connect to the server
> 		 lc.connect( ldapHost, ldapPort );
> 		 // authenticate to the server
> 		 lc.bind( ldapVersion, loginDN, password );
> 
> 		 lc.add( newEntry );
> 		 System.out.println( "\nAdded object: " + dn + "
> successfully." );
> 
> 		 // disconnect with the server
> 		 lc.disconnect();
> 	 }
> 	 catch( LDAPException e ) {
> 		 System.out.println( "Error:  " + e.toString());
> 	 }                                   
> 	 System.exit(0);
>  }
> 
> 
> 
> 
> 
> 
> 
>