Re: Usage of X509 certificates in WSS4J
Thanks Arundel, I never knew about WSS4J mailing list. I will start a thread in regard to this on WSS4J mailing list. With Regards, Mayank Arundel, Donal wrote: Okay, sounds like the certs were as we suspected then :-) If you were proposing a WSS4J enhancement request for x509TokenProfile 1.1 then perhaps it might be worth throwing a query to the WSS4J mail list? Obviously for this sort of extension we shouldn't add the logic into CXF itself. Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 28 February 2008 05:16 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Mayank Mishra wrote: Arundel, Donal wrote: Sure, assuming you mean from the command line then download the excellent openssl utility from www.openssl.org. Then execute: openssl x509 -in MyCertfile.pem -inform PEM -text This will give a nice printout of the cert details, including a listing of the x.509v3 extensions rpesent. The above command line assume the cert is in PEM format (base 64 encoded), DER format is also supported (The Java language specific jks file format is not supported by openssl). (Aside: If you wanted to query certs programmatically then you could use the JDKs x.509 interface which gives you access to the extensions, and also to the version number of the certificate) I debugged MerlinCrypto instance created by WSS4J and checked the version number in the sun.security.x509.X509CertInfo instance. It has Version: v1 as CertificateVersion value. The Email address data you refer to below appears to be just part of the distinguished name of both the Issuer and Subject. This by itself is not evidence of an x.509v43 extension being present. There is at least one defined X.509v3 extension that can be used for e-mail addresses (e.g. the emailAddress extension), but from the extract you have posted its not clear if this is specified in your cert. I suspect its unlikely base don what you have said so far. Anyway openssl will make this clear. If you are on Windows you could just download the pre built binaries executable from http://www.openssl.org/related/binaries.html I normally just build openssl myself, and haven't used that specific link personally - but it is listed on the main openssl.org webpage so hopefully should work. Thanks Arundel for the link. I used the pre built binaries from the URL. I followed the following, 1. Exported the certificate to .CER format from the keytool -export command. 2. Converted CER format to PEM format using openssl command x509 -inform der -in MYCERT.cer -out MYCERT.pem 3. Checked the version using openssl command x509 -in MYCERT.pem -inform PEM -text I saw following information along with Validity, Subject, Subject Public Key Info and Certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 1173183211 (0x45ed5aeb) Signature Algorithm: md5WithRSAEncryption I guess I can confirm seeing above that the certificates I am using are of version v1. Also, no extension information was there. Hence, in this case the certificates I am passing to WSS4J are x509v1, and the expected valueType must be #x509v1. In case I am right, WSS4J supports OASIS X.509 Certificate Token Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509 Certificate Token Profile 1.1 [2] are following: 1. Inclusion of X.509 version 1 certificates (I dont' know the reason of going back). 2. Allowing only X.509 version 3 certificates to be used in Key Identifier reference. We can change the above and can support Token Profile 1.1. With Regards, Mayank [1]. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profi le-1.0.pdf [2]. http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pd f or atleast we can check certificate version and can put right value as #x509v1 of 'ValueType' attribute in Key Identifier reference. With Regards, Mayank I could probably mail you a statically built version for one of the most popular Unix platforms if that's any use to you, and save you the hassle of building it.. Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 14:10 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Arundel, Donal wrote: Unless x.509v3 Certificates are present in your created certificate there is no requirement
RE: Usage of X509 certificates in WSS4J
Okay, sounds like the certs were as we suspected then :-) If you were proposing a WSS4J enhancement request for x509TokenProfile 1.1 then perhaps it might be worth throwing a query to the WSS4J mail list? Obviously for this sort of extension we shouldn't add the logic into CXF itself. Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 28 February 2008 05:16 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Mayank Mishra wrote: Arundel, Donal wrote: Sure, assuming you mean from the command line then download the excellent openssl utility from www.openssl.org. Then execute: openssl x509 -in MyCertfile.pem -inform PEM -text This will give a nice printout of the cert details, including a listing of the x.509v3 extensions rpesent. The above command line assume the cert is in PEM format (base 64 encoded), DER format is also supported (The Java language specific jks file format is not supported by openssl). (Aside: If you wanted to query certs programmatically then you could use the JDKs x.509 interface which gives you access to the extensions, and also to the version number of the certificate) I debugged MerlinCrypto instance created by WSS4J and checked the version number in the sun.security.x509.X509CertInfo instance. It has Version: v1 as CertificateVersion value. The Email address data you refer to below appears to be just part of the distinguished name of both the Issuer and Subject. This by itself is not evidence of an x.509v43 extension being present. There is at least one defined X.509v3 extension that can be used for e-mail addresses (e.g. the emailAddress extension), but from the extract you have posted its not clear if this is specified in your cert. I suspect its unlikely base don what you have said so far. Anyway openssl will make this clear. If you are on Windows you could just download the pre built binaries executable from http://www.openssl.org/related/binaries.html I normally just build openssl myself, and haven't used that specific link personally - but it is listed on the main openssl.org webpage so hopefully should work. Thanks Arundel for the link. I used the pre built binaries from the URL. I followed the following, 1. Exported the certificate to .CER format from the keytool -export command. 2. Converted CER format to PEM format using openssl command x509 -inform der -in MYCERT.cer -out MYCERT.pem 3. Checked the version using openssl command x509 -in MYCERT.pem -inform PEM -text I saw following information along with Validity, Subject, Subject Public Key Info and Certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 1173183211 (0x45ed5aeb) Signature Algorithm: md5WithRSAEncryption I guess I can confirm seeing above that the certificates I am using are of version v1. Also, no extension information was there. Hence, in this case the certificates I am passing to WSS4J are x509v1, and the expected valueType must be #x509v1. In case I am right, WSS4J supports OASIS X.509 Certificate Token Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509 Certificate Token Profile 1.1 [2] are following: 1. Inclusion of X.509 version 1 certificates (I dont' know the reason of going back). 2. Allowing only X.509 version 3 certificates to be used in Key Identifier reference. We can change the above and can support Token Profile 1.1. With Regards, Mayank [1]. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profi le-1.0.pdf [2]. http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pd f or atleast we can check certificate version and can put right value as #x509v1 of 'ValueType' attribute in Key Identifier reference. With Regards, Mayank I could probably mail you a statically built version for one of the most popular Unix platforms if that's any use to you, and save you the hassle of building it.. Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 14:10 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Arundel, Donal wrote: Unless x.509v3 Certificates are present in your created certificate there is no requirement that the certificate version number is 3. If either the X.509 issuerUniqueID or subjectUniqueID fields are present the certificate must be at least version 2. However there is nothing actually stopping somebody creating a certificate with no x.509v3 extensions, and also no issuerUniqueID
RE: Usage of X509 certificates in WSS4J
Unless x.509v3 Certificates are present in your created certificate there is no requirement that the certificate version number is 3. If either the X.509 issuerUniqueID or subjectUniqueID fields are present the certificate must be at least version 2. However there is nothing actually stopping somebody creating a certificate with no x.509v3 extensions, and also no issuerUniqueID or subjectUniqueID, ..and having a version of 3. A version of 1 would strictly be more correct though. I don't know offhand if Keytool gives you explicit control over the version number or whether it just calculates the version from the logical certificate request data when creating the certificate. Generally all CA certificates must have extensions indicating that they are CAs, so they should have a version number of 3. Application certs on the other hand may vary depending on their content and anticipated usage. Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 10:44 To: cxf-user@incubator.apache.org Subject: Usage of X509 certificates in WSS4J G'day all, I am using WSS4J 1.5.1. I created X509 public keys and certificates from Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates. Please let me know if it creates v3 certificates, which in my opinion doesn't do. Looking at the on the wire message sent from client to server or otherwise, I observe Token Reference, the value of the Valuetype attribute in the KeyIdentifier element is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof ile-1.0#X509v3 AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were included in the spec, in X509 Certificate Token Profile 1.0, only X509v3 certificates were there to be used. Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please clarify me if I am wrong. Since, X509v3 certs have some more extension elements over X509v1. It should give some error, when passing X509v1 for cryptos creation. Or, it silently use X509v1, but then the valuetype should be #x509v1 instead of #x509v3. There is a bit of confusion. Kindly clarify. With Regards, Mayank IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: Usage of X509 certificates in WSS4J
Arundel, Donal wrote: Unless x.509v3 Certificates are present in your created certificate there is no requirement that the certificate version number is 3. If either the X.509 issuerUniqueID or subjectUniqueID fields are present the certificate must be at least version 2. However there is nothing actually stopping somebody creating a certificate with no x.509v3 extensions, and also no issuerUniqueID or subjectUniqueID, ..and having a version of 3. A version of 1 would strictly be more correct though. Yes, I agree with you. I don't know offhand if Keytool gives you explicit control over the version number or whether it just calculates the version from the logical certificate request data when creating the certificate. I generated public key certificates and private keys from keytool only. According to [1], It generates v1 certificates and can import/export v1, v2, and v3 certificates.. But I am suspecting it because when while printing out the certificate, I get following along with SerialNumber, Certificate fingerprints. Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? Generally all CA certificates must have extensions indicating that they are CAs, so they should have a version number of 3. Application certs on the other hand may vary depending on their content and anticipated usage. Cheers, Donal With Regards, Mayank [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 10:44 To: cxf-user@incubator.apache.org Subject: Usage of X509 certificates in WSS4J G'day all, I am using WSS4J 1.5.1. I created X509 public keys and certificates from Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates. Please let me know if it creates v3 certificates, which in my opinion doesn't do. Looking at the on the wire message sent from client to server or otherwise, I observe Token Reference, the value of the Valuetype attribute in the KeyIdentifier element is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof ile-1.0#X509v3 AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were included in the spec, in X509 Certificate Token Profile 1.0, only X509v3 certificates were there to be used. Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please clarify me if I am wrong. Since, X509v3 certs have some more extension elements over X509v1. It should give some error, when passing X509v1 for cryptos creation. Or, it silently use X509v1, but then the valuetype should be #x509v1 instead of #x509v3. There is a bit of confusion. Kindly clarify. With Regards, Mayank IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Usage of X509 certificates in WSS4J
Sure, assuming you mean from the command line then download the excellent openssl utility from www.openssl.org. Then execute: openssl x509 -in MyCertfile.pem -inform PEM -text This will give a nice printout of the cert details, including a listing of the x.509v3 extensions rpesent. The above command line assume the cert is in PEM format (base 64 encoded), DER format is also supported (The Java language specific jks file format is not supported by openssl). (Aside: If you wanted to query certs programmatically then you could use the JDKs x.509 interface which gives you access to the extensions, and also to the version number of the certificate) The Email address data you refer to below appears to be just part of the distinguished name of both the Issuer and Subject. This by itself is not evidence of an x.509v43 extension being present. There is at least one defined X.509v3 extension that can be used for e-mail addresses (e.g. the emailAddress extension), but from the extract you have posted its not clear if this is specified in your cert. I suspect its unlikely base don what you have said so far. Anyway openssl will make this clear. If you are on Windows you could just download the pre built binaries executable from http://www.openssl.org/related/binaries.html I normally just build openssl myself, and haven't used that specific link personally - but it is listed on the main openssl.org webpage so hopefully should work. I could probably mail you a statically built version for one of the most popular Unix platforms if that's any use to you, and save you the hassle of building it.. Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 14:10 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Arundel, Donal wrote: Unless x.509v3 Certificates are present in your created certificate there is no requirement that the certificate version number is 3. If either the X.509 issuerUniqueID or subjectUniqueID fields are present the certificate must be at least version 2. However there is nothing actually stopping somebody creating a certificate with no x.509v3 extensions, and also no issuerUniqueID or subjectUniqueID, ..and having a version of 3. A version of 1 would strictly be more correct though. Yes, I agree with you. I don't know offhand if Keytool gives you explicit control over the version number or whether it just calculates the version from the logical certificate request data when creating the certificate. I generated public key certificates and private keys from keytool only. According to [1], It generates v1 certificates and can import/export v1, v2, and v3 certificates.. But I am suspecting it because when while printing out the certificate, I get following along with SerialNumber, Certificate fingerprints. Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? Generally all CA certificates must have extensions indicating that they are CAs, so they should have a version number of 3. Application certs on the other hand may vary depending on their content and anticipated usage. Cheers, Donal With Regards, Mayank [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 10:44 To: cxf-user@incubator.apache.org Subject: Usage of X509 certificates in WSS4J G'day all, I am using WSS4J 1.5.1. I created X509 public keys and certificates from Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates. Please let me know if it creates v3 certificates, which in my opinion doesn't do. Looking at the on the wire message sent from client to server or otherwise, I observe Token Reference, the value of the Valuetype attribute in the KeyIdentifier element is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof ile-1.0#X509v3 AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were included in the spec, in X509 Certificate Token Profile 1.0, only X509v3 certificates were there to be used. Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please clarify me if I am wrong. Since, X509v3 certs have some more extension elements over X509v1. It should give some
Re: Usage of X509 certificates in WSS4J
Arundel, Donal wrote: Sure, assuming you mean from the command line then download the excellent openssl utility from www.openssl.org. Then execute: openssl x509 -in MyCertfile.pem -inform PEM -text This will give a nice printout of the cert details, including a listing of the x.509v3 extensions rpesent. The above command line assume the cert is in PEM format (base 64 encoded), DER format is also supported (The Java language specific jks file format is not supported by openssl). (Aside: If you wanted to query certs programmatically then you could use the JDKs x.509 interface which gives you access to the extensions, and also to the version number of the certificate) I debugged MerlinCrypto instance created by WSS4J and checked the version number in the sun.security.x509.X509CertInfo instance. It has Version: v1 as CertificateVersion value. The Email address data you refer to below appears to be just part of the distinguished name of both the Issuer and Subject. This by itself is not evidence of an x.509v43 extension being present. There is at least one defined X.509v3 extension that can be used for e-mail addresses (e.g. the emailAddress extension), but from the extract you have posted its not clear if this is specified in your cert. I suspect its unlikely base don what you have said so far. Anyway openssl will make this clear. If you are on Windows you could just download the pre built binaries executable from http://www.openssl.org/related/binaries.html I normally just build openssl myself, and haven't used that specific link personally - but it is listed on the main openssl.org webpage so hopefully should work. Thanks Arundel for the link. I used the pre built binaries from the URL. I followed the following, 1. Exported the certificate to .CER format from the keytool -export command. 2. Converted CER format to PEM format using openssl command x509 -inform der -in MYCERT.cer -out MYCERT.pem 3. Checked the version using openssl command x509 -in MYCERT.pem -inform PEM -text I saw following information along with Validity, Subject, Subject Public Key Info and Certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 1173183211 (0x45ed5aeb) Signature Algorithm: md5WithRSAEncryption I guess I can confirm seeing above that the certificates I am using are of version v1. Also, no extension information was there. Hence, in this case the certificates I am passing to WSS4J are x509v1, and the expected valueType must be #x509v1. In case I am right, WSS4J supports OASIS X.509 Certificate Token Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509 Certificate Token Profile 1.1 [2] are following: 1. Inclusion of X.509 version 1 certificates (I dont' know the reason of going back). 2. Allowing only X.509 version 3 certificates to be used in Key Identifier reference. We can change the above and can support Token Profile 1.1. With Regards, Mayank [1]. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf [2]. http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf I could probably mail you a statically built version for one of the most popular Unix platforms if that's any use to you, and save you the hassle of building it.. Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? Cheers, Donal -Original Message- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 14:10 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Arundel, Donal wrote: Unless x.509v3 Certificates are present in your created certificate there is no requirement that the certificate version number is 3. If either the X.509 issuerUniqueID or subjectUniqueID fields are present the certificate must be at least version 2. However there is nothing actually stopping somebody creating a certificate with no x.509v3 extensions, and also no issuerUniqueID or subjectUniqueID, ..and having a version of 3. A version of 1 would strictly be more correct though. Yes, I agree with you. I don't know offhand if Keytool gives you explicit control over the version number or whether it just calculates the version from the logical certificate request data when creating the certificate. I generated public key certificates and private keys from keytool only. According to [1], It generates v1 certificates and can import/export v1, v2, and v3 certificates.. But I am suspecting it because when while printing out the certificate, I get following along with SerialNumber, Certificate fingerprints. Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry
