X500Principal Distinguished Name order

StackOverflow https://stackoverflow.com/questions/10871922

Question

I'm using the Bouncycastle lib to generate certificates from PKCS10 requests using the X509v3CertificateBuilder class.

It returns build a X509CertificateHolder object which contains the generated certificate. If I call getIssuer on the holder, it returns the issuer distinguished name in the correct order (the same returned if I call getSubjectX500Principal() on the issuer certificate), if I parse the encoded version from the holder using the java CertificateFactory, the getIssuerX500Principal() method of the generated certificate returns the DN in the opposite order, what's wrong?

Here is an example code of what I'm trying to do:

X509CertificateHolder holder = certBuilder.build(sigGen);
holder.getIssuer(); //Returns the DN in the correct order (same as in issuer cert)

CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(holder.getEncoded()));

cert.getIssuerX500Principal().getName(); //Returns issuer DN in reverse order
Was it helpful?

Solution

Since I need to compare distinguished names, I resolved by parsing the DN with LdapName class and comparing the parsed rdns:

boolean DNmatches(X500Principal p1, X500Principal p2) {
    List<Rdn> rdn1 = new LdapName(p1.getName()).getRdns();
    List<Rdn> rdn2 = new LdapName(p2.getName()).getRdns();

    if(rdn1.size() != rdn2.size())
        return false;

    return rdn1.containsAll(rdn2);
}

OTHER TIPS

Just in case anyone needs to extract the Subject DN in the certificate order, I found this does it:

String certSubject = new JcaX509CertificateHolder(x509Certificate).getSubject().toString();
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top