IllegalArgumentException: Unknown object id - DNQ - passed to distinguished name #1622
Comments
|
@ralfhauser Can you give sample code of what you're attempting to do? It appears our code expects the identifier This matches OpenSSL's output for this certificate: However, it does appear to be missing from our Are you aware of a reference calling this |
|
Hi Alexander, |
|
@ralfhauser Interesting... What version of BC are you running? I get the following: Codeimport java.io.ByteArrayInputStream;
import java.io.StringReader;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class Main {
public static void main(String[] args) throws Exception {
Security.addProvider(new BouncyCastleProvider());
StringReader sr = new StringReader("-----BEGIN CERTIFICATE-----\nMIIF+jCCBOKgAwIBAgIIORHp/nZXM3owDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE\nBhMCSVQxJDAiBgNVBAoMG05hbWlyaWFsIFMucC5BLi8wMjA0NjU3MDQyNjEgMB4G\nA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMMHU5hbWlyaWFs\nIENBIEZpcm1hIFF1YWxpZmljYXRhMB4XDTIyMTIxOTEwMzUwMFoXDTI1MTIxNzIz\nMDAwMFowgZExCzAJBgNVBAYTAklUMRMwEQYDVQQEDApWSU5BVFRJRVJJMRAwDgYD\nVQQqDAdHSUFDT01PMR8wHQYDVQQFExZUSU5JVC1WTlRHQ003NUEyMUQ2MTJGMRsw\nGQYDVQQDDBJWSU5BVFRJRVJJIEdJQUNPTU8xHTAbBgNVBC4TFExPVkcyMDIyMTIx\nNjMxMTk5NzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhcdxxuHh\nxhimZ5OWvGS1JPiDAxzwUr1f5TMEyzEdr0MqkG+DCcl0dmLhChya9j4WxaSgVkDP\n+YF8p+Ki/bRaQo/7UrA6Jr3q1Q3IPTrk2py5dsrhh9BlYjCBnNvkpZFqJyrPjn0B\ncyr3AgPslpqoMr6Hwy8z1OjqbpI24rv14XpIOfYBDb7ZO/mcVWEKR99Szbo+zI5b\n1k0mfNx9YErOiNoNCnzVz/n5cKKTSK8j/MQfznALyTALJNvoMVgf+iUVYOnDtloT\nWnnE7ro2KmHxjhrn0Sy7mLDe6LiE7rdlsZ35H5KuPJ8JHKaxbliu6ZHl4vyn5N+j\nc/Y6yw2OhybD/QIDAQABo4ICZzCCAmMwgZwGCCsGAQUFBwEBBIGPMIGMMFEGCCsG\nAQUFBzAChkVodHRwczovL2RvY3MubmFtaXJpYWx0c3AuY29tL2RvY3VtZW50cy9O\nYW1pcmlhbENBRmlybWFRdWFsaWZpY2F0YS5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6\nLy9vY3NwLm5hbWlyaWFsdHNwLmNvbS9vY3NwL2NlcnRzdGF0dXMwHQYDVR0OBBYE\nFMT24uLpEFwHzv+KAGTrpaBG47OdMB8GA1UdIwQYMBaAFGP97eaMYkdIz+oJQXN2\nEeJkYnsQMIHNBggrBgEFBQcBAwSBwDCBvTAIBgYEAI5GAQEwCwYGBACORgEDAgEU\nMAgGBgQAjkYBBDATBgYEAI5GAQYwCQYHBACORgEGATCBhAYGBACORgEFMHowOxY1\naHR0cHM6Ly9kb2NzLm5hbWlyaWFsdHNwLmNvbS9kb2N1bWVudHMvUERTL1BEU19l\nbi5wZGYTAmVuMDsWNWh0dHBzOi8vZG9jcy5uYW1pcmlhbHRzcC5jb20vZG9jdW1l\nbnRzL1BEUy9QRFNfaXQucGRmEwJpdDBaBgNVHSAEUzBRMAkGBwQAi+xAAQIwOgYL\nKwYBBAGCmmsBAQIwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9kb2NzLm5hbWlyaWFs\ndHNwLmNvbS8wCAYGBACPegECMEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwu\nbmFtaXJpYWx0c3AuY29tL0Zpcm1hQ2VydGFRdWFsaWZpY2F0YTEuY3JsMA4GA1Ud\nDwEB/wQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAQEASrkvsTg+7AJCvU9+KYqnjrcl\n5L8VZhKrDWFHAeQOGK+vBoRuDXqmrmuaSaiJbKGY6A7VL4SSV1SeJYAIKR4FdyDR\nr6XH5Hcw5b8k5IjcFU9a5oUMbRv7ie2A6vluRoHV9njDcBasKoAs3a/iYtptq2t3\n0TEXdadj8NPlCYZsZaptBUhIZGnpKmYye8UP/g98Sy955PxEhMiqfL53iwp4FdBJ\n/Asx0acMTwVB1sok+LxNAnLAufhj6xvMaXPLoJ8E23OlrgOle9baRKhKO+TfNamw\nton3fJUp2/dvGc5GEvp9gEN0sQSksPLd3y8ZePsauWWLkO0H89ykEnnKeUYOUA==\n-----END CERTIFICATE-----\n");
PEMParser p = new PEMParser(sr);
Object o = p.readObject();
System.out.println("Got: " + o);
X509CertificateHolder bcCert = (X509CertificateHolder)o;
System.out.println("BC Cert: " + bcCert);
X500Name bcSubj = bcCert.getSubject();
System.out.println("BC Subject: " + bcSubj);
byte[] data = bcCert.getEncoded();
CertificateFactory cf = CertificateFactory.getInstance("X509", "BC");
Certificate jCert = cf.generateCertificate(new ByteArrayInputStream(data));
System.out.println("Java Cert:" + jCert);
X509Certificate xCert = (X509Certificate)jCert;
System.out.println("X509 Java Cert:" + xCert);
X500Principal xPrinc = xCert.getSubjectX500Principal();
System.out.println("X500 Principal: " + xPrinc);
}
}Terminal Outputbut I will admit I'm on the as-of-yet unreleased BC 1.78. However, it doesn't look like this code has changed in a while. I went through PEMParser because I wanted to see what the internal |
|
bc*-jdk18on-171.jar |
|
if you add one line to your code, it is reproducible `... X500Name subDN = new X500Name(xPrinc.toString());` |
|
@ralfhauser Have you seen the alternative
This would let you parse DQNs directly in this format: bc-java/core/src/test/java/org/bouncycastle/asn1/test/X500NameTest.java Lines 693 to 703 in 5b13608 bc-java/core/src/test/java/org/bouncycastle/asn1/test/X500NameTest.java Lines 184 to 187 in 5b13608 If you're willing to modify your application code, I think this will work the best, and follows what was originally intended (w.r.t. custom names for OIDs). Let me know what you think! |
|
Why can't the simple constructor not handle this ? private static X500NameStyle defaultStyle = DNQStyle.INSTANCE; //BCStyle.INSTANCE; as it extends BCStyle , it seems to backward compatible (except for the IllegalArgumentException probably almost nobody is keen on seeing ?) |
|
@ralfhauser Perhaps @dghgit can weigh in... My understanding is a style class allows for overriding our understanding/parsing of string attributes into proper RDN sequences. You might prefer A custom style parser gives you the flexibility to set the string form+identifiers of RDN attributes you want to see/understand/parse (and extending My 2c -- but this was likely written for exactly this type of extensibility. Whether or not we want to add it to the default constructor (and if we'll add it as |
|
Hi @ralfhauser, has been a while since this has come up. So, the issue is it's not that anyone's right or wrong, and this isn't the first time we've found ourselves and Sun/Oracle using different symbols, IBM for example tend to treat this one as DNQUALIFIER, in our case it's always been "DN" (looking at RFC 4519 I have to admit IBM's probably the closest to correct, although we actually added the attribute before RFC 4519 came out, I'd guess based on either what OpenSSL was using at the time, or what Sun was using at the time, it was around 2005 though so while I was around, I'm afraid what and who in regards to this one are well lost in time). What I've found in general is that avoiding converting directory names to strings until you actually have to hand one over to a human is the best idea, as the alternative is a path to madness. The following will allow you to convert the directory name without issue: Now, it you'd like that to print just as the Oracle one does, there's a choice between using the X500NameStyle class as @cipherboy suggests (which can be useful if you like life with X500Name) or simply doing the reverse at output time, i.e: It all depends how you want to play it. The one thing you can be confident of whatever decision you make you'll almost certainly run into someone that wants it to be done differently so I would recommend allowing for flexibility. |
A qualified Italian QES cert seems to throw this error
dnq.pem.txt
Are they wrong ?
Edited for clarity by @cipherboy.
The text was updated successfully, but these errors were encountered: