xml-security has some code for calculating the SKI if it is absent. -- dims
On 7/28/05, Granqvist, Hans <[EMAIL PROTECTED]> wrote: > Hi Thilo, > > I think this issue has been discussed on this list before. > (Do you have access to the archives?) > > To summarize: > A cert without the OID SKI is still a valid cert since it > is not a critical extension. The SKI is a derived value and > there are two known ways of calculating SKI: the right way, > and some funky way that appeared in some WSE revision. > > In another project, we had to deal with certs lacking a SKI, > and we solved it by calculating the SKI ourselves. > > Hans > > > -----Original Message----- > > From: Thilo Frotscher [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 28, 2005 9:04 AM > > To: [email protected] > > Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues > > > > > > > > > > Hi all, > > > > we have an interoperablity issue between WSS4J and WSE. And > > we believe to have found a bug in WSS4J. Please have a look > > at it and give some advice. > > > > Scenario: We want to send an encrypted and signed message > > from WSE to WSS4J. I created a key pair with keytool on Java > > SE 5.0 and exported a certificate from my keystore (JCEKS). > > This certificate was successfully imported on the .NET side. > > The SOAP message that WSE sends to WSS4J looks ok. > > > > However, WSE uses a <SecurityTokenReference> with a > > <KeyIdentifier> element. When this <SecurityTokenReference> > > is processed by WSS4J a NullPointerException is thrown in > > Class Merlin, method getSKIBytesFromCert(X509Certificate cert) > > > > Reason for the exception: look at this code from > > getSKIBytesFromCert... > > > > byte[] derEncodedValue = cert.getExtensionValue(SKI_OID); > > if (cert.getVersion() < 3) {...} > > byte abyte0[] = new byte[derEncodedValue.length - 4]; > > > > The return value of cert.getExtensionValue(SKI_OID) is null > > in our case. Thus, the third line fails. As stated in Sun's > > API documentation, null return values can happen. > > > http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String) > > 1) This should be enhanced so that NullPointerExceptions can't happen anymore. > 2) What does it mean that null is returned? Does this mean that the > certificate doesn't have an extension? > 3) Would it be still a valid certificate or is it invalid without the > extension? > 4) How can we resolve this issue? Do the certificates created by > keytool/Java5.0 have interop issues? > 5) (maybe off-topic): does anybody know how .NET can be configured to send a > <SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>? > > Thank you very much, > Thilo > > _________________________________________________________________________ > Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle > Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179 > > > > > -- Davanum Srinivas -http://blogs.cocoondev.org/dims/
