on 08-08-2013 2:07 PM
Hello,
I got an issue with SAP Security library.
I'm trying to validate a SSO Ticket. It seems the SAP Security library cannot find the certificate for a space issue.
Indeed, the issuer of my certificate is "OU=J2EE, CN=TEST" and the issuer from SSO ticket seems to be "OU=J2EE,CN=TEST".
For the issuer from SSO ticket, I'm not really sure because SAP Security library doesn't provide method to extract issuer field.
In fact, I'm using the same ticket and library in Production environment.
And I'm trying to reproduce the ticket validation in Java.
My questions are:
- Can we force the issuer value to use on SAP Security library side ?
- Do this issue is known bug ? If yes, which SAP Security library version I should use ?
- Is there a workaround ?
===== Ticket.toString() =====
Ticket Version = 2
Ticket Codepage = 1100 (Encoding=ISO8859_1)
User = Z99999990742
Issuing System ID = TEST
Issuing System Client = 000
Creation Time = 201307230729
Valid Time = 8 h 0 min
Valid from Tue Jul 23 09:29:00 CEST 2013 until Tue Jul 23 17:29:00 CEST 2013
Signature (length=261 bytes)
InfoUnit 32, length=19
InfoUnit 136, length=19
InfoUnit 10, length=12
===== Some Test =====
com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE, CN=TEST", BigInteger.ZERO); --> Found
com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE,CN=TEST", BigInteger.ZERO); --> Didn't find
====== Certificate.toString() ======
[
Version: V1
Subject: OU=J2EE, CN=TEST
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
Key: Sun DSA Public Key
Parameters:DSA
p: X
q: X
g: X
y: X
Validity: [From: Fri Mar 23 14:54:28 CET 2007,
To: Tue Mar 23 14:54:28 CET 2027]
Issuer: OU=J2EE, CN=TEST
SerialNumber: [ 00]
]
====== Certificate Importation ======
> keytool -import -alias certificate -file TEST_000.crt -keypass password -keystore storekey.jks -storepass password
Propriétaire : OU=J2EE, CN=TEST
Emetteur : OU=J2EE, CN=TEST Numéro de série : 0
Valide du : Mon Sep 24 11:12:42 CEST 2007 au : Fri Sep 24 11:12:42 CEST 2027
Empreintes du certificat :
MD5: X
SHA1 : X
SHA256 : X
Nom de l'algorithme de signature : SHA1withDSA
Version : 1
Faire confiance à ce certificat ? [non] : oui
Certificat ajouté au fichier de clés
===== Error raised =====
Caused by: java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=TEST", S/N=0) not found.
at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:1016)
at org.eurocopter.sap.security.impl.SAPTicketValidation.verifyTicket(SAPTicketValidation.java:231)
==== Java version ======
java version "1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)
==== SAP Security version ======
environment: com.sap.security.api
Implementation-Vendor-Id: sap.com
Implementation-Version: 7.0107.20120601132146.0000
environment: com.sap.security.core
Implementation-Vendor-Id: sap.com
Implementation-Version: 7.0107.20120601132146.0000
As a workaround you could try to create the issuer DN to only contain CN, OU is not required. Of course, the subject has to match.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As I said, it's an existing production environment. It's not possible to change the certificate or ticket format. Otherwise, we can do I would not imagine the consequences of such a change.
The best option is to find a workaround on SAP Security client library like override class or method.
Can we do that with SAP Security library ? I would like to force the issuer value inside library code.
I don't think that is something you can do, SAP doesn't provide source code for SAP Cryptolib. Since you are an SAP employee, you could contact the product manager for SAP Cryptolib internally and get in touch with the people involved in SAP Cryptolib development. Creating a support message is another option. Maybe could point you into the right direction.
User | Count |
---|---|
84 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.