000021146 - Translate a Java String into an X500Name

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021146
Applies ToBSAFE/Cert-J 2.2
IssueTranslate a Java String into an X500Name

Translating a Java String to an RSA X500 name, the X500 name does not match exactly as the encoded DN in the certificate.  This impacts the application when searching for the certificate in the HSM based on the DN for the subject or issuer, as the search does not retrieve back an exact match.


For the X500Names issue, the Subject name, when stored as a String, would not retain the information about what type (PrintableString, UTFString, etc...) the components were encoded in (and they can very well be different for each certificate). So, it's reasonable that when you construct a X500Name out of a String, you may not get back the exact same one as the certificate because of the missing type info. So, in order to construct the same X500Name as the one from the certificate, you have to extract the name in binary format from the certificate and store that.

byte[] binarySubject = new byte[cert.getSubjectName().getDERLen(0)];

cert.getSubjectName().getDEREncoding(binarySubject, 0, 0);

// then, write binarySubject into a file...

Later on, you can use the binary encoding to reconstruct back the X500Name.

Another way would be to construct the X500Name from scratch if you know what value and type each AVA is, like below:

public X500Name createSubjectName(String commonName) throws NameException {

    X500Name name = new X500Name();

    RDN rdn = new RDN();

    rdn.addNameAVA(new AttributeValueAssertion (AttributeValueAssertion.COUNTRY_NAME, null, ASN1.PRINT_STRING, "US"));

    rdn.addNameAVA(new AttributeValueAssertion (AttributeValueAssertion.STATE_NAME, null, ASN1.PRINT_STRING, "California"));

    rdn.addNameAVA(new AttributeValueAssertion (AttributeValueAssertion.ORGANIZATION_NAME, null, ASN1.PRINT_STRING, "RSA Security Inc."));

    rdn.addNameAVA(new AttributeValueAssertion (AttributeValueAssertion.LOCALITY_NAME, null, ASN1.PRINT_STRING, "San Mateo"));

    rdn.addNameAVA(new AttributeValueAssertion (AttributeValueAssertion.STREET_ADDRESS, null, ASN1.PRINT_STRING, "Cert-J Test"));

    rdn.addNameAVA(new AttributeValueAssertion (AttributeValueAssertion.COMMON_NAME, null, ASN1.PRINT_STRING, commonName));


    return (name);


Legacy Article IDa39355