Hello,
thank you very much for your answers. I have access
to the archive and found an early discussion. I now
understand that my certificate probably doesn't
contain an SKI and that it can be calculated at
runtime. .NET seems to do just that.
However, I don't understand how that could help with
our issue...
Use case: The certificate was created with keytool, then
exported from the Java keystore and imported into .NET.
Then .NET sends a message to WSS4J using an encrypted key
that was encrypted using this cert. WSS4J fails because
there is no SKI.
- How does it help if I can calculate the SKI myself?
Where and when in this use case should I do that?
Do you mean I should include the corresponding code
into WSS4J? If yes, shouldn't that be done for
everybody, as an official patch?
- Can't keytool create certs that contain an SKI?
If not: *how* can I create a certificate that contains
SKIs???
- Is there a tool that shows me if a certificate contains
an SKI?
Any help is very much appreciated!
Thilo
Davanum Srinivas schrieb:
xml-security has some code for calculating the SKI if it is absent.
-- dims
On 7/28/05, Granqvist, Hans <[EMAIL PROTECTED]> wrote:
Hi Thilo,
I think this issue has been discussed on this list before.
(Do you have access to the archives?)
To summarize:
A cert without the OID SKI is still a valid cert since it
is not a critical extension. The SKI is a derived value and
there are two known ways of calculating SKI: the right way,
and some funky way that appeared in some WSE revision.
In another project, we had to deal with certs lacking a SKI,
and we solved it by calculating the SKI ourselves.
Hans
-----Original Message-----
From: Thilo Frotscher [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 28, 2005 9:04 AM
To: [email protected]
Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues
Hi all,
we have an interoperablity issue between WSS4J and WSE. And
we believe to have found a bug in WSS4J. Please have a look
at it and give some advice.
Scenario: We want to send an encrypted and signed message
from WSE to WSS4J. I created a key pair with keytool on Java
SE 5.0 and exported a certificate from my keystore (JCEKS).
This certificate was successfully imported on the .NET side.
The SOAP message that WSE sends to WSS4J looks ok.
However, WSE uses a <SecurityTokenReference> with a
<KeyIdentifier> element. When this <SecurityTokenReference>
is processed by WSS4J a NullPointerException is thrown in
Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
Reason for the exception: look at this code from
getSKIBytesFromCert...
byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
if (cert.getVersion() < 3) {...}
byte abyte0[] = new byte[derEncodedValue.length - 4];
The return value of cert.getExtensionValue(SKI_OID) is null
in our case. Thus, the third line fails. As stated in Sun's
API documentation, null return values can happen.
http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
1) This should be enhanced so that NullPointerExceptions can't happen anymore.
2) What does it mean that null is returned? Does this mean that the certificate
doesn't have an extension?
3) Would it be still a valid certificate or is it invalid without the extension?
4) How can we resolve this issue? Do the certificates created by
keytool/Java5.0 have interop issues?
5) (maybe off-topic): does anybody know how .NET can be configured to send a
<SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>?
Thank you very much,
Thilo
_________________________________________________________________________
Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
