[389-users] retrieving x509 certificates using java

Rich Megginson rmeggins at redhat.com
Tue Mar 29 20:20:25 UTC 2011 

On 03/25/2011 07:12 AM, Luke Schierer wrote:
> We have a java application that is attempting to pull the userCertificate
> attribute from our 389ds ldap server.  Looking at the ldap logs, I see its
> request, and it looks like it should be working, except for one oddity, it
> is asking for the attribute "usercertificate;binary".  By attaching
> eclipse to the application, we have determined that the general flow of
> the code is
>
> <get certificate from client and put it into myCert>
>
> LDAPCertStoreParameters loCertStoreParams = new
> LDAPCertStoreParameters(<ldap_host>,<ldap_port>);
>
> CertStore loCertStore = CertStore.getInstance("LDAP", loCertStoreParams,
> "Sun");
>
> x509CertSelector loTargetConstraints = new X509CertSelector();
>
> lsSubjectDN = CSFGlobalPKIUtil.getSubjectDNFromCertificate(myCert);
> //we have verified that everything works fine as far as this point.
>
> loTargetConstraints.setSubject(lsSubjectDN);
> Collection loCol = loCertStore.getCertificates(loTargetConstraints);
>
> Once the gall to getCertificates is made, a query is built and sent to the
> LDAP server using java internal classes, we believe it is ultimately the
> X509CertStoreLDAP class.  We do not have the source to debug this part of
> the code, but at some point, without visible interaction in the source
> code we do have, it choses to ask for "usercertificate;binary" instead of
> just "usercertificate".
>
> Should the 389ds be able to understand "usercertificate;binary", and is
> this a misconfiguration on my part in the directory server, or is that not
> something I should be expecting the directory to understand?
the ;binary option was defined in http://www.ietf.org/rfc/rfc2251.txt 
but dropped in http://www.ietf.org/rfc/rfc4511.txt (see C.1.7. Section 
4.1.5.1 (Binary Option) and others)

So the real fix would be to change the client app to not use ";binary".  
You could also file a bug/RFE against 389 to add support for legacy apps 
that still use ";binary".  Another fix would be to add a duplicate 
attribute "usercertificate;binary" which is a duplicate of the 
userCertificate attribute.
> As a point of further information, when I try to replicate the behavior
> using ldapsearch, I also fail to retrieve a certificate when I request
> "usercertificate;binary" but succeed when I request only
> "usercertificate".
>
> Any help would be greatly appreciated.
>
> Thanks!!
>
> Luke
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list