Supply more detail on unconvertable X.509 certificates
Basics
Logistics
Basics
Logistics
Description
The X509ValidationStage converts an X.509 certificate expressed as Base64 first to a byte array and then to an X509Certificate object. If either of these operations fails for any reason, the same error status is added: could not convert X509Certficate data.
While true, this is not actually helpful in the case where a purported certificate is unacceptable.
The stage should split the two basic cases, and pass through the detail message at least in the case of a caught CertificateException.
The prompting use case is an eduGAIN entity whose certificate has null issuer and null subject. Java rejects this with Empty issuer DN not allowed in X509Certificates.
While this arguably isn’t a constraint that needs to apply in the case of X.509 certificates wrapping public keys in SAML metadata, most Java code trying to interpret the certificate is going to fail so at the very least it’s a serious potential interoperability issue. I don’t know whether the IdP would face the same issue, but if it did I certainly wouldn’t advocate for dodging the issue by parsing certificates in some other way.
The
X509ValidationStageconverts an X.509 certificate expressed as Base64 first to a byte array and then to anX509Certificateobject. If either of these operations fails for any reason, the same error status is added:could not convert X509Certficate data.While true, this is not actually helpful in the case where a purported certificate is unacceptable.
The stage should split the two basic cases, and pass through the detail message at least in the case of a caught
CertificateException.The prompting use case is an eduGAIN entity whose certificate has null issuer and null subject. Java rejects this with
Empty issuer DN not allowed in X509Certificates.While this arguably isn’t a constraint that needs to apply in the case of X.509 certificates wrapping public keys in SAML metadata, most Java code trying to interpret the certificate is going to fail so at the very least it’s a serious potential interoperability issue. I don’t know whether the IdP would face the same issue, but if it did I certainly wouldn’t advocate for dodging the issue by parsing certificates in some other way.