Hi Thilo, I think this issue has been discussed on this list before. (Do you have access to the archives?)
To summarize: A cert without the OID SKI is still a valid cert since it is not a critical extension. The SKI is a derived value and there are two known ways of calculating SKI: the right way, and some funky way that appeared in some WSE revision. In another project, we had to deal with certs lacking a SKI, and we solved it by calculating the SKI ourselves. Hans > -----Original Message----- > From: Thilo Frotscher [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 28, 2005 9:04 AM > To: [email protected] > Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues > > > > > Hi all, > > we have an interoperablity issue between WSS4J and WSE. And > we believe to have found a bug in WSS4J. Please have a look > at it and give some advice. > > Scenario: We want to send an encrypted and signed message > from WSE to WSS4J. I created a key pair with keytool on Java > SE 5.0 and exported a certificate from my keystore (JCEKS). > This certificate was successfully imported on the .NET side. > The SOAP message that WSE sends to WSS4J looks ok. > > However, WSE uses a <SecurityTokenReference> with a > <KeyIdentifier> element. When this <SecurityTokenReference> > is processed by WSS4J a NullPointerException is thrown in > Class Merlin, method getSKIBytesFromCert(X509Certificate cert) > > Reason for the exception: look at this code from > getSKIBytesFromCert... > > byte[] derEncodedValue = cert.getExtensionValue(SKI_OID); > if (cert.getVersion() < 3) {...} > byte abyte0[] = new byte[derEncodedValue.length - 4]; > > The return value of cert.getExtensionValue(SKI_OID) is null > in our case. Thus, the third line fails. As stated in Sun's > API documentation, null return values can happen. > http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String) 1) This should be enhanced so that NullPointerExceptions can't happen anymore. 2) What does it mean that null is returned? Does this mean that the certificate doesn't have an extension? 3) Would it be still a valid certificate or is it invalid without the extension? 4) How can we resolve this issue? Do the certificates created by keytool/Java5.0 have interop issues? 5) (maybe off-topic): does anybody know how .NET can be configured to send a <SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>? Thank you very much, Thilo _________________________________________________________________________ Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
