[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Solved] [JLDAP] Store X509 object programmatically (OpenLDAP)



Hi Sunil,thank for verifing my certificate with your tool.Also thanks
for pointing out wrong javadocs.

About the problem of storing a X509, I'm almost sure that I couldn't
view that because the Java-based LDAP Browser/Editor I have,
misunderstood the format of the certificate entry.
After checking with ldapsearch tool, I saw that the certificate entries
were made.
The next step was get my (Java) hands on them, so I tried Novell JLDAP
SearchUtil.java example... but I ended up with no certificates, again.
I had the 0-valued entry. :-(

Here's the command line used for SearchUtil:

-h localhost -D cn=Manager,dc=my-domain,dc=com -b dc=my-domain,dc=com
(Should return all subtree entries)

It turns out that it is a (Java) programming issue: the certificates are
there and valid but (my) Java cannot "see" them.

Seems like the problem is the BINARY format handling...

See this snippet from SearchUtil.java (around line 462, sorry but I'm in
trouble with indentation with cut&paste):

/***************************/
if( options.getPrintAttrs()) {
	System.out.println("\tAttributes: ");

LDAPAttributeSet attributeSet = entry.getAttributeSet();
java.util.Iterator allAttributes = attributeSet.iterator();

while( allAttributes.hasNext()) {
	LDAPAttribute attribute = (LDAPAttribute)allAttributes.next();
	String attributeName = attribute.getName();

	System.out.println("\t\t" + attributeName);

	Enumeration allValues = attribute.getStringValues();

	// Print attribute values
	// This assumes String values, but Java will create
	// something printable for even binary data, though
	// it may not mean much.
	
if( allValues != null) {
						 	while(allValues.hasMoreElements()) { 

//Diego: Here is the  problem because Java will NOT create something
//printable, it won't even create something useful, since this cast to
//String for the X509 entry will return a "0".

		String Value = (String) allValues.nextElement();	
		System.out.println("\t\t\t" + Value);
						 }
					  }
				   }
			   }
			
/*************************/



That's why probably also LDAP Browser/Editor showed "0" for the X509
Entry.

 
This litte piece of code put after the line reading "Enumeration
allValues ..." works ok for me:

/*************************************/

if (attributeName.equalsIgnoreCase("userCertificate;binary")) // mind
//the ";binary", using "userCertificate" only won't match (for me)
{
byte[] uCert = attribute.getByteValue(); // get the byte array
	//representation of the previously stored X509 (DER format!)

iaik.x509.X509Certificate c = new iaik.x509.X509Certificate(uCert);//
//This constructor takes a byte array to generate a certificate.
//The byte array stored previously is correctly formatted for it, so we
//have a certificate back!

System.out.println("***************************** Retrieved binary X509
- BEGIN *****************************\n" );

System.out.println( c.toString()); // Just to be sure...

System.out.println("***************************** Retrieved binary X509
- END *******************************\n" );

}

/*************************************/


Here's a sample output; as you can see, after the certificate dump there
is still the "0" produced by the original code.

/*******************/

cn=JSmith Wilson 28,dc=my-domain,dc=com
	Attributes: 
		cn
			JamesWilson  Smith
			Jim W. Smith
			Jimmy W. Smith
		telephoneNumber
			1 801 555 1212
		userPassword
			newpassword
		userCertificate;binary
***************************** Retrieved binary X509 - BEGIN
*****************************

Version: 3
Serial number: 410
Signature algorithm: 1.2.840.113549.1.1.5
Issuer: C=IT, O=LTT, OU=firma digitale, CN=CA LTT, EMail=ca@ltt.it
Valid not before: Thu May 15 15:06:56 CEST 2003
      not after: Fri May 14 15:06:56 CEST 2004
Subject: C=IT, O=LTT CQ, OU=sviluppo firma digitale,
CN=Pietralunga/Diego/PTRDGI74H18G337R, EMail=diego@ltt.it
com.sun.rsajca.JSA_RSAPublicKey@7a29a1
Extensions: 11
Certificate Fingerprint: D3:7B:22:83:B7:32:A9:A6:25:7B:12:4F:8E:93:80:3C

***************************** Retrieved binary X509 - END
*******************************

			0
		objectClass
			inetOrgPerson
		givenName
			James
			Jim
			Jimmy
		mail
			JSmith@Acme.com
		sn
			Smith
21 Entries found

/*******************/



Thanks again.

Bye,

Diego





Il mar, 2003-08-26 alle 07:14, Sunil Kumar ha scritto:
> Hi Diego,
>     I have verified the added certificate in my configuration. I used
> Novell ConsoleOne to validate it and its showing that the added
> certificate is a valid one.
> 
> As far as the seocnd problem reported by you i.e AttributeSet.add
> (LDAPAttribute) returns false. I looked at it and found that the
> Documentation in JavaDoc for attributeSet.add method is wrong. In
> javaDoc they have specifed that:
> add() method will  "return true if the attribute was added."
> 
> Whereas actually it should be:-
> " return true if there was already a  previous value(non-null) for the
> specified attribute  in the attribute set ."
> 
> Also I have found one more wrong statement in the JavaDoc.They have
> mentioed :
>      * Adds the specified attribute to this set if it is not already
> present.
>      * <p>If an attribute with the same name already exists in the set
> then the
>      * specified attribute will not be added.</p>
> 
> Whereas  it should be:-
>      * Adds the specified attribute to this set if it is not already
> present.
>      * <p>If an attribute with the same name already exists in the set
> then the
>      * old specified value for the attribute will be replaced by the
> new Value..</p>
> 
> 
> Here is the modified JavaDoc which I am planning to checkin ,Steve/Anil
>  can you verify this and let me know before I checkin.
>     /**
>      * Adds the specified attribute to this set if it is not already
> present.
>      * <p>If an attribute with the same name already exists in the set
> then the
>      * old specified value for the attribute will be replaced by the
> new Value..</p>
>      *
>      * @param attr   Object of type <code>LDAPAttribute</code>
>      *
>      * @return true if there was already a  previous value(non-null)
> for the specified
>      *                       attribute  in the attribute set .
>      *
>      * @throws ClassCastException occurs the specified Object
>      * is not of type <code>LDAPAttribute</code>.
>      */
> 
> 
> Regards,
> -Sunil.
> 
> >>> Diego Pietralunga <diego@ltt.it> 8/25/2003 7:55:59 PM >>>
> Hi Sunil, thanks a lot for your time.
> 
> I've been investigating this issue so far...
> 
> Well... it's really strange... 
> First let me say that I had some strange glitches during
> experimentation, so I have a little doubt about my configuration,
> anyway...
> 
> I JUST found out that the (my/your) original code seems to work!
> 
> I mean that querying OpenLDAP with the ldapsearch tool, I can see the
> userCertificate entry. (I'm attaching an example inline at the bottom)
> While the LDAP Browser/editor can't' see it (throws a
> CertificateParsingException... mmhhh, that's fishy)
> 
> So, I don't know if my certificate entries are valid; I tried to look
> up
> some addresses with Mozilla Messenger and Outlook but found no entries
> (looked for "Smith").But maybe that's mean nothing...
> 
> The strange things on the programmatic side are:
> 
> 1) Looks like that Nikita Bige's suggestion must be followed (append
> ";binary" to the entry name).
> 
> 2) AttributeSet.add (LDAPAttribute) returns a boolean; this boolean is
> always false when I add the certificate attribute and the connection
> to
> the server is established AFTER that check... I mean that return value
> is produced with no server intervention at that time (this should
> exclude a bug/error on the server side)... BUT (via command line) the
> certificate was ADDED.
> And no exceptions are thrown.
> /*
> Like this:
> 	boolean added = attributeSet.add(cert);
> 	System.out.println("Certificate:\n" + "added=" +added );
> Prints: added=false;
> */
> 
> 
> I don't know if this is a Java problem or what...
> 
> 
> 
> 
> 
> /* Snippet of the result (2 shown here) of the ldapsearch query */
> /**********************************************************/
> 
> # JSmith Wilson 21, my-domain.com
> dn: cn=JSmith Wilson 21,dc=my-domain,dc=com
> userCertificate;binary::
> MIIEljCCA36gAwIBAgICAZowDQYJKoZIhvcNAQEFBQAwXzEYMBYGC
> 
> SqGSIb3DQEJARYJY2FAbHR0Lml0MQ8wDQYDVQQDEwZDQSBMVFQxFzAVBgNVBAsTDmZpcm1hIGRpZ2
> 
> l0YWxlMQwwCgYDVQQKEwNMVFQxCzAJBgNVBAYTAklUMB4XDTAzMDUxNTEzMDY1NloXDTA0MDUxNDE
> 
> zMDY1NlowgYoxGzAZBgkqhkiG9w0BCQEWDGRpZWdvQGx0dC5pdDErMCkGA1UEAxMiUGlldHJhbHVu
> 
> Z2EvRGllZ28vUFRSREdJNzRIMThHMzM3UjEgMB4GA1UECxMXc3ZpbHVwcG8gZmlybWEgZGlnaXRhb
> 
> GUxDzANBgNVBAoTBkxUVCBDUTELMAkGA1UEBhMCSVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
> 
> GBAMHNYDVjg3D9lEMRpa7xCJIwx+NbnntX0n7MxxFmxDiMLBliuC/IrEl3wXCh7crgZpY/Qio0Qez
> 
> hl7ZgDrN2BwvMG7MeOh1NOJTE0cdOLFNSLX/E6QTKpg6zxmlkLM9YLl4cTnP3oK56iAYFTlj5pBfy
> 
> FhLyTuq5azmzxIoz2jaRAgMBAAGjggGyMIIBrjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFo
> 
> DALBgNVHQ8EBAMCBsAwIwYJYIZIAYb4QgENBBYWFExUVCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDg
> 
> QWBBT4mh1sf65EL/QDXCAUFE0Z9snP6zCBiAYDVR0jBIGAMH6AFCdAgXe3AZxcoOnj0Z1+y5pA07i
> 
> NoWOkYTBfMRgwFgYJKoZIhvcNAQkBFgljYUBsdHQuaXQxDzANBgNVBAMTBkNBIExUVDEXMBUGA1UE
> 
> CxMOZmlybWEgZGlnaXRhbGUxDDAKBgNVBAoTA0xUVDELMAkGA1UEBhMCSVSCAQAwCQYDVR0RBAIwA
> 
> DAJBgNVHRIEAjAAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2Fjcm
> 
> wuY3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2FjcmwuY3JsMDY
> 
> GCWCGSAGG+EIBBwQpFidodHRwczovL2RpZ2lzaWduLmx0dC5pdC9jYS9yZXF1ZXN0Lmh0bWwwDQYJ
> 
> KoZIhvcNAQEFBQADggEBAJ2BRQb8f5BUagm9jIaheDoc3Xx+7Jmk9cVuWaiK8WnJxOIcdzK89zJhT
> 
> wVX7WFK7/HqgwlQmVpVp68t7KlcOdiXZhQQWFM7xGGHa8R8io6LStf9C71KBvaXtkg29BKtbJPTlE
> 
> GDGy2tDrj9TRWBA9BXyxaRWcxxr1j/LR5Vr9wttHpX/FEfsQr+JoFDNRWS0z/uToZ8OM7ofWwy/ZN
> 
> 87shpE9Sw2oD1lHptaSEVLID58jZ0xIC3wgvNfPww2191iFrCaVVeFS9Zsf9lVq7Fr9IBc7xxBnt+
>  LpD89VZq40VhK6uJYoz2ZKjPEvq+JabmuyF7pxvwasm6+UNtsNB9V1E=
> userPassword:: bmV3cGFzc3dvcmQ=
> telephoneNumber: 1 801 555 1212
> cn: JamesWilson  Smith
> cn: Jim W. Smith
> cn: Jimmy W. Smith
> givenName: James
> givenName: Jim
> givenName: Jimmy
> objectClass: inetOrgPerson
> mail: JSmith@Acme.com 
> sn: Smith
> 
> # JSmith Wilson 25, my-domain.com
> dn: cn=JSmith Wilson 25,dc=my-domain,dc=com
> userCertificate;binary::
> MIIEljCCA36gAwIBAgICAZowDQYJKoZIhvcNAQEFBQAwXzEYMBYGC
> 
> SqGSIb3DQEJARYJY2FAbHR0Lml0MQ8wDQYDVQQDEwZDQSBMVFQxFzAVBgNVBAsTDmZpcm1hIGRpZ2
> 
> l0YWxlMQwwCgYDVQQKEwNMVFQxCzAJBgNVBAYTAklUMB4XDTAzMDUxNTEzMDY1NloXDTA0MDUxNDE
> 
> zMDY1NlowgYoxGzAZBgkqhkiG9w0BCQEWDGRpZWdvQGx0dC5pdDErMCkGA1UEAxMiUGlldHJhbHVu
> 
> Z2EvRGllZ28vUFRSREdJNzRIMThHMzM3UjEgMB4GA1UECxMXc3ZpbHVwcG8gZmlybWEgZGlnaXRhb
> 
> GUxDzANBgNVBAoTBkxUVCBDUTELMAkGA1UEBhMCSVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
> 
> GBAMHNYDVjg3D9lEMRpa7xCJIwx+NbnntX0n7MxxFmxDiMLBliuC/IrEl3wXCh7crgZpY/Qio0Qez
> 
> hl7ZgDrN2BwvMG7MeOh1NOJTE0cdOLFNSLX/E6QTKpg6zxmlkLM9YLl4cTnP3oK56iAYFTlj5pBfy
> 
> FhLyTuq5azmzxIoz2jaRAgMBAAGjggGyMIIBrjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFo
> 
> DALBgNVHQ8EBAMCBsAwIwYJYIZIAYb4QgENBBYWFExUVCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDg
> 
> QWBBT4mh1sf65EL/QDXCAUFE0Z9snP6zCBiAYDVR0jBIGAMH6AFCdAgXe3AZxcoOnj0Z1+y5pA07i
> 
> NoWOkYTBfMRgwFgYJKoZIhvcNAQkBFgljYUBsdHQuaXQxDzANBgNVBAMTBkNBIExUVDEXMBUGA1UE
> 
> CxMOZmlybWEgZGlnaXRhbGUxDDAKBgNVBAoTA0xUVDELMAkGA1UEBhMCSVSCAQAwCQYDVR0RBAIwA
> 
> DAJBgNVHRIEAjAAMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2Fjcm
> 
> wuY3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vY2EubHR0Lml0L3Jhby9jcmwvY2FjcmwuY3JsMDY
> 
> GCWCGSAGG+EIBBwQpFidodHRwczovL2RpZ2lzaWduLmx0dC5pdC9jYS9yZXF1ZXN0Lmh0bWwwDQYJ
> 
> KoZIhvcNAQEFBQADggEBAJ2BRQb8f5BUagm9jIaheDoc3Xx+7Jmk9cVuWaiK8WnJxOIcdzK89zJhT
> 
> wVX7WFK7/HqgwlQmVpVp68t7KlcOdiXZhQQWFM7xGGHa8R8io6LStf9C71KBvaXtkg29BKtbJPTlE
> 
> GDGy2tDrj9TRWBA9BXyxaRWcxxr1j/LR5Vr9wttHpX/FEfsQr+JoFDNRWS0z/uToZ8OM7ofWwy/ZN
> 
> 87shpE9Sw2oD1lHptaSEVLID58jZ0xIC3wgvNfPww2191iFrCaVVeFS9Zsf9lVq7Fr9IBc7xxBnt+
>  LpD89VZq40VhK6uJYoz2ZKjPEvq+JabmuyF7pxvwasm6+UNtsNB9V1E=
> userPassword:: bmV3cGFzc3dvcmQ=
> telephoneNumber: 1 801 555 1212
> cn: JamesWilson  Smith
> cn: Jim W. Smith
> cn: Jimmy W. Smith
> givenName: James
> givenName: Jim
> givenName: Jimmy
> objectClass: inetOrgPerson
> mail: JSmith@Acme.com 
> sn: Smith
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 21
> # numEntries: 20
> 
> /*********************************************************/
> 
> 
> 
> 
> 
> 
> 
> 
> Il lun, 2003-08-25 alle 13:41, Sunil Kumar ha scritto:
> > Hi Diego,
> >   I tried to do the same thing but am able to add it
> successfully.Only
> > differnce was that I used eDirectory as an ldap server where I have
> > added the entry.
> > 
> > I have attached the sample code with this mail which I used to add
> the
> > entry with the certficate. Have a look at it and let me know if this
> > doesn't help you.
> > 
> > I used ldapsearch command line tool to verify whether the
> > usercertifcate tatribute conatins any value or not. I have attached
> a
> > text file containing the search result.
> > 
> > 
> > Regards,
> > -Sunil
> > 
> > 
> > >>> Anil Kumar Kommuri 8/25/2003 3:26:25 PM >>>
> > JLDAP query.  
> > regards
> > anil.
> > 
> > >>> Diego Pietralunga <diego@ltt.it> 25-Aug-03 3:08:48 PM >>>
> > Hello everybody,
> > 
> > first post!
> > Hope this is not OT.
> > 
> > 
> > I'm trying to use Novell JLDAP API (June 04, 2003 release) to
> > interface
> > to OpenLDAP 2.1.10 on a RH 8.0 linux box.
> > 
> > Standard operations seem to work, but I could not get to store a
> > X509Certificate object, based on the AddEntry.java example.
> > I can add the entry (used userCertificate and userSMIMECertificate)
> > but
> > the value shown is '0'.
> > I'm _quite_ sure I passed the X509 as DER...
> > I tried both the constructor, LDAPAttribute(Object,byte[]) and the
> > method addValue(byte[]).
> > 
> > 
> > Looks like it's not converted to BINARY...
> > 
> > Oddly, the password object is marked as binary (used LDAP
> > browser/editor
> > to check)
> > 
> > 
> > Can anyone help?
> > 
> > 
> > Here's my code snippet:
> > /****************************************************************/
> > 
> > /*
> > Get the certificate, connection, etc...
> > Then...
> > */
> > 
> >  LDAPConnection lc = new LDAPConnection();
> > 	 LDAPAttribute  attribute = null;
> > 	 LDAPAttributeSet attributeSet = new LDAPAttributeSet();
> > 
> >      
> >       	 attributeSet.add( new LDAPAttribute( 
> > 						  "objectclass", new
> > String("inetOrgPerson")));                
> > 	 attributeSet.add( new LDAPAttribute("cn", 
> > 			 new String[]{"JamesWilson  Smith", "Jim W.
> > Smith", "Jimmy W.
> > Smith"}));               
> > 	 attributeSet.add( new LDAPAttribute("givenname",
> > 							  new
> > String[]{"James", "Jim", "Jimmy" }));        
> > 	 attributeSet.add( new LDAPAttribute("sn", new
> > String("Smith")));        
> > 	 attributeSet.add( new LDAPAttribute("telephonenumber",
> >
> 										
> > new String("1 801 555
> > 1212")));                                                     
> > 	 attributeSet.add( new LDAPAttribute("mail", 
> >
> 										new
> > String("JSmith@Acme.com")));
> >
> 										
> > 			LDAPAttribute pwd =
> > null;							
> > 	 attributeSet.add( pwd = new LDAPAttribute("userpassword", 
> >
> 											new
> > String("newpassword")));     //This one becomes BINARY
> > when stored, //but it's a normal string in the constructor.
> >                                       
> > 
> > 	LDAPAttribute cert = null;
> > 	
> > 	
> >  try {
> > 	byte[] crtBytes = certif.getEncoded(); // gets the DER version
> > of the
> > X509 - IAIK JCE library
> > 
> > 	
> > 	cert = new LDAPAttribute("userCertificate",crtBytes);
> > 	// or userSMIMECertificate
> > 	
> >      //cert.addValue(crtBytes);
> > 	boolean added = attributeSet.add(cert);
> > 	    
> > 	System.out.println("Certificate:\n" + "added=" +added + "\n" +
> > cert.toString() +"\n\npwd=" + pwd.toString());
> > 	
> > 	                                            
> >                                                
> > 	 String  dn  = "cn=JSmith Wilson 13," + containerName;      
> > 	 LDAPEntry newEntry = new LDAPEntry( dn, attributeSet );
> > 
> > 	 try {
> > 		 // connect to the server
> > 		 lc.connect( ldapHost, ldapPort );
> > 		 // authenticate to the server
> > 		 lc.bind( ldapVersion, loginDN, password );
> > 
> > 		 lc.add( newEntry );
> > 		 System.out.println( "\nAdded object: " + dn + "
> > successfully." );
> > 
> > 		 // disconnect with the server
> > 		 lc.disconnect();
> > 	 }
> > 	 catch( LDAPException e ) {
> > 		 System.out.println( "Error:  " + e.toString());
> > 	 }                                   
> > 	 System.exit(0);
> >  }
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> 
>