Hi all,
we have an interoperablity issue between WSS4J and WSE. And we believe to have
found a bug in WSS4J. Please have a look at it and give some advice.
Scenario: We want to send an encrypted and signed message from WSE to WSS4J. I
created a key pair with keytool on Java SE 5.0 and exported a certificate from
my keystore (JCEKS). This certificate was successfully imported on the .NET
side. The SOAP message that WSE sends to WSS4J looks ok.
However, WSE uses a <SecurityTokenReference> with a <KeyIdentifier> element.
When this <SecurityTokenReference> is processed by WSS4J a NullPointerException
is thrown in Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
Reason for the exception: look at this code from getSKIBytesFromCert...
byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
if (cert.getVersion() < 3) {...}
byte abyte0[] = new byte[derEncodedValue.length - 4];
The return value of cert.getExtensionValue(SKI_OID) is null in our case. Thus,
the third line fails. As stated in Sun's API documentation, null return values
can happen.
http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
1) This should be enhanced so that NullPointerExceptions can't happen anymore.
2) What does it mean that null is returned? Does this mean that the certificate
doesn't have an extension?
3) Would it be still a valid certificate or is it invalid without the extension?
4) How can we resolve this issue? Do the certificates created by
keytool/Java5.0 have interop issues?
5) (maybe off-topic): does anybody know how .NET can be configured to send a
<SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>?
Thank you very much,
Thilo
_________________________________________________________________________
Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
