[389-users] retrieving x509 certificates using java

[Luke Schierer]

We have a java application that is attempting to pull the userCertificate
attribute from our 389ds ldap server.  Looking at the ldap logs, I see its
request, and it looks like it should be working, except for one oddity, it
is asking for the attribute "usercertificate;binary".  By attaching
eclipse to the application, we have determined that the general flow of
the code is

<get certificate from client and put it into myCert>

LDAPCertStoreParameters loCertStoreParams = new
LDAPCertStoreParameters(<ldap_host>,<ldap_port>);

CertStore loCertStore = CertStore.getInstance("LDAP", loCertStoreParams,
"Sun");

x509CertSelector loTargetConstraints = new X509CertSelector();

lsSubjectDN = CSFGlobalPKIUtil.getSubjectDNFromCertificate(myCert);
//we have verified that everything works fine as far as this point.

loTargetConstraints.setSubject(lsSubjectDN);
Collection loCol = loCertStore.getCertificates(loTargetConstraints);

Once the gall to getCertificates is made, a query is built and sent to the
LDAP server using java internal classes, we believe it is ultimately the
X509CertStoreLDAP class.  We do not have the source to debug this part of
the code, but at some point, without visible interaction in the source
code we do have, it choses to ask for "usercertificate;binary" instead of
just "usercertificate".

Should the 389ds be able to understand "usercertificate;binary", and is
this a misconfiguration on my part in the directory server, or is that not
something I should be expecting the directory to understand?

As a point of further information, when I try to replicate the behavior
using ldapsearch, I also fail to retrieve a certificate when I request
"usercertificate;binary" but succeed when I request only
"usercertificate".

Any help would be greatly appreciated.

Thanks!!

Luke