The following pattern is used: > sm.getString("pemFile....", HexUtils.toHexString(oidBytes)) The result is a hex string which is not helpful. The ASN.1 DER encoding of an OID should be converted to a dotted string representation for users. Affected keys: pemFile.unknownEncryptionAlgorithm pemFile.unknownPkcs8Algorithm pemFile.notPbkdf2 pemFile.unknownPrfAlgorithm Howto: https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-object-identifier?redirectedfrom=MSDN Reference: https://lists.apache.org/thread/2x709tc8ms5jnd1s6drf3pons009sqdl E.g. for DES_EDE3_CBC as 1.2.840.113549.3.7 the output would be: 2a864886f70d0307. Little helpful.
Whether the user is provided with the OID in string or byte form doesn't change the fact that the PEM file isn't going to be usable. The byte string is sufficient for us to diagnose the issue (and matches what Tomcat uses internally). I wasn't (and still aren't) convinced it was worth the effort to provide byte to string conversion for OIDs just for the error messages. That said, if you want to write a byte to String formatter for OIDs then I'm not going to object.
(In reply to Mark Thomas from comment #1) > Whether the user is provided with the OID in string or byte form doesn't > change the fact that the PEM file isn't going to be usable. > > The byte string is sufficient for us to diagnose the issue (and matches what > Tomcat uses internally). > > I wasn't (and still aren't) convinced it was worth the effort to provide > byte to string conversion for OIDs just for the error messages. > > That said, if you want to write a byte to String formatter for OIDs then I'm > not going to object. Agree, but from a user's PoV it makes it much much easier to seach online or here: http://www.oid-info.com/ Let's leave it as an enhancement.
I think the easiest solution is to use org.ietf.jgss.Oid.Oid(byte[]) and the invoke #toString()
+1 - we are already using that class in the SPNEGO authenticator
(In reply to Mark Thomas from comment #4) > +1 - we are already using that class in the SPNEGO authenticator I'll try prepare a PR for this.
Fixed in: - main for 11.0.0-M14 and onwards - 10.1.x for 10.1.16 and onwards - 9.0.x for 9.0.83 and onwards - 8.5.x for 8.5.96 and onwards