Problem

  • Product: VisiBroker 8.0 for C & Java
  • Component: VisiSecure
  • Platform: All
  • Tested Patch Level: Service Pack 3 & below

The following exception is encountered when VisiBroker server ORB is started.

Error Message from the C ORB

CORBA::Exception: Exception: CORBA::BAD_PARAM
Minor: 1447174691
Completion Status: NO

Error Message from the Java ORB

org.omg.CORBA.BAD_PARAM: Invalid certificate @0  vmcid: 0x0  minor code: 0  completed: No

        at com.borland.security.provider.CertificateWallet.(CertificateWallet.java:85)

Resolution

The exception occurs due to the interoperability between the generation and interpretation of the X509 certificate by different vendors.  When OpenSSL is used to examine the certificate, the details are shown below.
OpenSSL> x509 -in Base64.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:fe:e3:cc:00:00:00:00:00:66
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=xx, DC=xx, CN=xx
        Validity
            Not Before: xx
            Not After : xx
        Subject: C=xx, O=xx, CN=xx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                  …
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                …
            X509v3 Authority Key Identifier:
               …
             X509v3 CRL Distribution Points:
                 …
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.7:
...@...q:...)...)..d......7.........\\..
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            1.3.6.1.4.1.311.21.10:
                0.0 .. .......
   
The highlighted sections are area of interest.

1.     X509 Version 3 certificate.

2.     Issuer contains the Domain Component (DC)

      - Object Identifier: 0.9.2342.19200300.100.1.25b, defined in http://www.ietf.org/rfc/rfc3280.txt

      3.     Object Identifiers for specific X509 Version 3

             a.     Object Identifier: 1.3.6.1.4.1.311.21.7

             b.    Object Identifier: 1.3.6.1.4.1.311.21.10


The certificate contains object identifiers which are not recognized by VisiSecure.  Hence, the above exceptions are thrown. 
VisiSecure provides vbroker.security.addOID property to work around the exception. This is an example of the usage.
vbroker.security.addOID=1.3.6.1.4.1.311.21.7;1.3.6.1.4.1.311.21.10;0.9.2342.19200300.100.1.25
Incident #2478513