https://bz.apache.org/bugzilla/show_bug.cgi?id=66009
--- Comment #2 from Michael Osipov <micha...@apache.org> --- Although, I haven't analyzed recent changes, the problem you see is different representations of the ASN.1 encoded subject DN. Here (https://github.com/apache/tomcat/blob/431f08b66e27411decb52e1333dd886cc181a854/java/org/apache/catalina/realm/RealmBase.java#L454-L455) it uses https://docs.oracle.com/javase/8/docs/api/javax/security/cert/X509Certificate.html#getIssuerDN-- which does not describe the format which is applied, but X509SubjectDnRetriever uses RFC 1779 (https://github.com/apache/tomcat/blob/431f08b66e27411decb52e1333dd886cc181a854/java/org/apache/catalina/realm/X509SubjectDnRetriever.java#L31) which is totally outdated. Moreover, depending on the X.500 Principal format you select Java maintains an internal map which OIDs can be reasonably mapped from ASN.1 to a string. Especially 2.5.4.5 is a total mess. I have a certificate processing application at work where I apply a custom formatting to properly canonicalize RFC 2253 formatted output with all possible OIDs Java will not map by default. I assume the codebase in Tomcat needs to be analyzed and apply similar. (My custom approach bases on the way OpenSSL handles DNs) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
