Okay, sounds like the certs were as we suspected then :-) If you were proposing a WSS4J enhancement request for x509TokenProfile 1.1 then perhaps it might be worth throwing a query to the WSS4J mail list? Obviously for this sort of extension we shouldn't add the logic into CXF itself.
Cheers, Donal -----Original Message----- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 28 February 2008 05:16 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Mayank Mishra wrote: > Arundel, Donal wrote: >> Sure, assuming you mean from the command line then download the >> excellent openssl utility from www.openssl.org. >> >> Then execute: >> >> "openssl x509 -in MyCertfile.pem -inform PEM -text" >> >> This will give a nice printout of the cert details, including a listing >> of the x.509v3 extensions rpesent. >> The above command line assume the cert is in PEM format (base 64 >> encoded), >> DER format is also supported (The Java language specific jks file format >> is not supported by openssl). >> >> (Aside: If you wanted to query certs programmatically then you could use >> the JDKs x.509 interface which gives you access to the extensions, and >> also to the version number of the certificate) >> > > I debugged MerlinCrypto instance created by WSS4J and checked the > version number in the sun.security.x509.X509CertInfo instance. It has > Version: v1 as CertificateVersion value. >> The Email address data you refer to below appears to be just part of the >> distinguished name of both the Issuer and Subject. >> This by itself is not evidence of an x.509v43 extension being present. >> >> There is at least one defined X.509v3 extension that can be used for >> e-mail addresses (e.g. the emailAddress extension), but from the extract >> you have posted its not clear if this is specified in your cert. >> I suspect its unlikely base don what you have said so far. >> >> Anyway openssl will make this clear. >> >> If you are on Windows you could just download the pre built binaries >> executable from http://www.openssl.org/related/binaries.html >> I normally just build openssl myself, and haven't used that specific >> link personally - but it is listed on the main openssl.org webpage so >> hopefully should work. >> > Thanks Arundel for the link. I used the pre built binaries from the > URL. I followed the following, > 1. Exported the certificate to .CER format from the keytool -export > command. > 2. Converted CER format to PEM format using openssl command x509 > -inform der -in MYCERT.cer -out MYCERT.pem > 3. Checked the version using openssl command x509 -in MYCERT.pem > -inform PEM -text > > I saw following information along with Validity, Subject, Subject > Public Key Info and Certificate: > Certificate: > Data: > Version: 1 (0x0) > Serial Number: 1173183211 (0x45ed5aeb) > Signature Algorithm: md5WithRSAEncryption > > I guess I can confirm seeing above that the certificates I am using > are of version v1. Also, no extension information was there. > > Hence, in this case the certificates I am passing to WSS4J are x509v1, > and the expected valueType must be #x509v1. > > In case I am right, WSS4J supports OASIS X.509 Certificate Token > Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509 > Certificate Token Profile 1.1 [2] are following: > > 1. Inclusion of X.509 version 1 certificates (I dont' know the reason > of going back). > 2. Allowing only X.509 version 3 certificates to be used in Key > Identifier reference. > > We can change the above and can support Token Profile 1.1. > > With Regards, > Mayank > > [1]. > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profi le-1.0.pdf > > [2]. > http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pd f > or atleast we can check certificate version and can put right value as "#x509v1" of 'ValueType' attribute in Key Identifier reference. With Regards, Mayank > >> I could probably mail you a statically built version for one of the most >> popular Unix platforms if that's any use to you, and save you the hassle >> of building it.. >> >> >>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, >>> ST=mystate, C=mycountry, [EMAIL PROTECTED] >>> >>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions. >>> >>> Is there any way through which I can verify whether my certificate is >>> >> v3 >>> certificate having no extension or v1 certificate? >>> >> >> >> Cheers, >> Donal >> >> -----Original Message----- >> From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February >> 2008 14:10 >> To: cxf-user@incubator.apache.org >> Subject: Re: Usage of X509 certificates in WSS4J >> >> Arundel, Donal wrote: >> >>> Unless x.509v3 Certificates are present in your created certificate >>> there >>> is no requirement that the certificate version number is 3. >>> >>> If either the X.509 issuerUniqueID or subjectUniqueID fields are >>> >> present >> >>> the certificate must be at least version 2. >>> However there is nothing actually stopping somebody creating a >>> certificate with no x.509v3 extensions, and also no issuerUniqueID or >>> subjectUniqueID, ..and having a version of 3. A version of 1 would >>> strictly be more correct though. >>> >> Yes, I agree with you. >> >>> I don't know offhand if Keytool gives you explicit control over the >>> >> version number or whether it just calculates the version from the >> >>> logical certificate request data when creating the certificate. >>> >> I generated public key certificates and private keys from keytool >> only. According to [1], It generates v1 certificates and can >> import/export v1, >> >> v2, and v3 certificates.. >> But I am suspecting it because when while printing out the >> certificate, I get following along with SerialNumber, Certificate >> fingerprints. >> >> Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, >> C=mycountry, [EMAIL PROTECTED] >> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, >> C=mycountry, [EMAIL PROTECTED] >> >> I guess, EMAILADDRESS, etc comes as v3 certificate extensions. >> >> Is there any way through which I can verify whether my certificate is v3 >> >> certificate having no extension or v1 certificate? >> >>> Generally all CA certificates must have extensions indicating that >>> >> they >> >>> are CAs, so they should have a version number of 3. >>> Application certs on the other hand may vary depending on their >>> >> content >> >>> and anticipated usage. >>> >>> Cheers, >>> Donal >>> >> >> With Regards, >> Mayank >> >> [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html >> >>> >>> -----Original Message----- >>> From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February >>> 2008 10:44 >>> To: cxf-user@incubator.apache.org >>> Subject: Usage of X509 certificates in WSS4J >>> >>> G'day all, >>> >>> I am using WSS4J 1.5.1. I created X509 public keys and certificates >>> >> from >> >>> Sun Microsystems Keytool utility. AFAIK, it created X509v1 >>> >> certificates. >> >>> Please let me know if it creates v3 certificates, which in my >>> opinion doesn't do. >>> Looking at the on the wire message sent from client to server or >>> otherwise, I observe Token Reference, the value of the "Valuetype" >>> attribute in the "KeyIdentifier" element is >>> >>> >>> >> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof >> >>> ile-1.0#X509v3" >>> >>> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates >>> >> were >>> included in the spec, in X509 Certificate Token Profile 1.0, only >>> >> X509v3 >> >>> certificates were there to be used. >>> >>> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. >>> >> Please >>> clarify me if I am wrong. >>> >>> Since, X509v3 certs have some more extension elements over X509v1. >>> It should give some error, when passing X509v1 for cryptos creation. >>> Or, >>> >> it >> >>> silently use X509v1, but then the valuetype should be "#x509v1" >>> >> instead >>> of "#x509v3". >>> >>> There is a bit of confusion. Kindly clarify. >>> >>> With Regards, >>> Mayank >>> >>> ---------------------------- >>> IONA Technologies PLC (registered in Ireland) >>> Registered Number: 171387 >>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, >>> >> Ireland >> >>> >> >> ---------------------------- >> IONA Technologies PLC (registered in Ireland) >> Registered Number: 171387 >> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, >> Ireland >> >> > ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland