Okay, sounds like the certs were as we suspected then :-)
If you were proposing a WSS4J enhancement request for x509TokenProfile
1.1 then perhaps it might be worth throwing a query to the WSS4J mail
list?
Obviously for this sort of extension we shouldn't add the logic into CXF
itself.
Cheers,
Donal
-----Original Message-----
From: Mayank Mishra [mailto:[EMAIL PROTECTED]
Sent: 28 February 2008 05:16
To: cxf-user@incubator.apache.org
Subject: Re: Usage of X509 certificates in WSS4J
Mayank Mishra wrote:
> Arundel, Donal wrote:
>> Sure, assuming you mean from the command line then download the
>> excellent openssl utility from www.openssl.org.
>>
>> Then execute:
>>
>> "openssl x509 -in MyCertfile.pem -inform PEM -text"
>>
>> This will give a nice printout of the cert details, including a
listing
>> of the x.509v3 extensions rpesent.
>> The above command line assume the cert is in PEM format (base 64
>> encoded),
>> DER format is also supported (The Java language specific jks file
format
>> is not supported by openssl).
>>
>> (Aside: If you wanted to query certs programmatically then you could
use
>> the JDKs x.509 interface which gives you access to the extensions,
and
>> also to the version number of the certificate)
>>
>
> I debugged MerlinCrypto instance created by WSS4J and checked the
> version number in the sun.security.x509.X509CertInfo instance. It has
> Version: v1 as CertificateVersion value.
>> The Email address data you refer to below appears to be just part of
the
>> distinguished name of both the Issuer and Subject.
>> This by itself is not evidence of an x.509v43 extension being
present.
>>
>> There is at least one defined X.509v3 extension that can be used for
>> e-mail addresses (e.g. the emailAddress extension), but from the
extract
>> you have posted its not clear if this is specified in your cert.
>> I suspect its unlikely base don what you have said so far.
>>
>> Anyway openssl will make this clear.
>>
>> If you are on Windows you could just download the pre built binaries
>> executable from http://www.openssl.org/related/binaries.html
>> I normally just build openssl myself, and haven't used that specific
>> link personally - but it is listed on the main openssl.org webpage so
>> hopefully should work.
>>
> Thanks Arundel for the link. I used the pre built binaries from the
> URL. I followed the following,
> 1. Exported the certificate to .CER format from the keytool -export
> command.
> 2. Converted CER format to PEM format using openssl command x509
> -inform der -in MYCERT.cer -out MYCERT.pem
> 3. Checked the version using openssl command x509 -in MYCERT.pem
> -inform PEM -text
>
> I saw following information along with Validity, Subject, Subject
> Public Key Info and Certificate:
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 1173183211 (0x45ed5aeb)
> Signature Algorithm: md5WithRSAEncryption
>
> I guess I can confirm seeing above that the certificates I am using
> are of version v1. Also, no extension information was there.
>
> Hence, in this case the certificates I am passing to WSS4J are x509v1,
> and the expected valueType must be #x509v1.
>
> In case I am right, WSS4J supports OASIS X.509 Certificate Token
> Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509
> Certificate Token Profile 1.1 [2] are following:
>
> 1. Inclusion of X.509 version 1 certificates (I dont' know the reason
> of going back).
> 2. Allowing only X.509 version 3 certificates to be used in Key
> Identifier reference.
>
> We can change the above and can support Token Profile 1.1.
>
> With Regards,
> Mayank
>
> [1].
>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profi
le-1.0.pdf
>
> [2].
>
http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pd
f
>
or atleast we can check certificate version and can put right value as
"#x509v1" of 'ValueType' attribute in Key Identifier reference.
With Regards,
Mayank
>
>> I could probably mail you a statically built version for one of the
most
>> popular Unix platforms if that's any use to you, and save you the
hassle
>> of building it..
>>
>>
>>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity,
>>> ST=mystate, C=mycountry, [EMAIL PROTECTED]
>>>
>>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>>
>>> Is there any way through which I can verify whether my certificate
is
>>>
>> v3
>>> certificate having no extension or v1 certificate?
>>>
>>
>>
>> Cheers,
>> Donal
>>
>> -----Original Message-----
>> From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February
>> 2008 14:10
>> To: cxf-user@incubator.apache.org
>> Subject: Re: Usage of X509 certificates in WSS4J
>>
>> Arundel, Donal wrote:
>>
>>> Unless x.509v3 Certificates are present in your created certificate
>>> there
>>> is no requirement that the certificate version number is 3.
>>>
>>> If either the X.509 issuerUniqueID or subjectUniqueID fields are
>>>
>> present
>>
>>> the certificate must be at least version 2.
>>> However there is nothing actually stopping somebody creating a
>>> certificate with no x.509v3 extensions, and also no issuerUniqueID
or
>>> subjectUniqueID, ..and having a version of 3. A version of 1 would
>>> strictly be more correct though.
>>>
>> Yes, I agree with you.
>>
>>> I don't know offhand if Keytool gives you explicit control over the
>>>
>> version number or whether it just calculates the version from the
>>
>>> logical certificate request data when creating the certificate.
>>>
>> I generated public key certificates and private keys from keytool
>> only. According to [1], It generates v1 certificates and can
>> import/export v1,
>>
>> v2, and v3 certificates..
>> But I am suspecting it because when while printing out the
>> certificate, I get following along with SerialNumber, Certificate
>> fingerprints.
>>
>> Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, [EMAIL PROTECTED]
>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, [EMAIL PROTECTED]
>>
>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>
>> Is there any way through which I can verify whether my certificate is
v3
>>
>> certificate having no extension or v1 certificate?
>>
>>> Generally all CA certificates must have extensions indicating that
>>>
>> they
>>
>>> are CAs, so they should have a version number of 3.
>>> Application certs on the other hand may vary depending on their
>>>
>> content
>>
>>> and anticipated usage.
>>>
>>> Cheers,
>>> Donal
>>>
>>
>> With Regards,
>> Mayank
>>
>> [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>>
>>>
>>> -----Original Message-----
>>> From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February
>>> 2008 10:44
>>> To: cxf-user@incubator.apache.org
>>> Subject: Usage of X509 certificates in WSS4J
>>>
>>> G'day all,
>>>
>>> I am using WSS4J 1.5.1. I created X509 public keys and certificates
>>>
>> from
>>
>>> Sun Microsystems Keytool utility. AFAIK, it created X509v1
>>>
>> certificates.
>>
>>> Please let me know if it creates v3 certificates, which in my
>>> opinion doesn't do.
>>> Looking at the on the wire message sent from client to server or
>>> otherwise, I observe Token Reference, the value of the "Valuetype"
>>> attribute in the "KeyIdentifier" element is
>>>
>>>
>>>
>>
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
>>
>>> ile-1.0#X509v3"
>>>
>>> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates
>>>
>> were
>>> included in the spec, in X509 Certificate Token Profile 1.0, only
>>>
>> X509v3
>>
>>> certificates were there to be used.
>>>
>>> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0.
>>>
>> Please
>>> clarify me if I am wrong.
>>>
>>> Since, X509v3 certs have some more extension elements over X509v1.
>>> It should give some error, when passing X509v1 for cryptos creation.
>>> Or,
>>>
>> it
>>
>>> silently use X509v1, but then the valuetype should be "#x509v1"
>>>
>> instead
>>> of "#x509v3".
>>>
>>> There is a bit of confusion. Kindly clarify.
>>>
>>> With Regards,
>>> Mayank
>>>
>>> ----------------------------
>>> IONA Technologies PLC (registered in Ireland)
>>> Registered Number: 171387
>>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>>>
>> Ireland
>>
>>>
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>> Ireland
>>
>>
>
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
