Just checked this: this is the WSS4J handler key identifier code "X509KeyIdentifier", the tool should use "SKIKeyIdentifier" instead.
Or, if the tool uses it programatically: WSConstants.SKI_KEY_IDENTIFIER instead of WSConstants.X509_KEY_IDENTIFIER The X509KeyIdentifier was defined in X509 profile of WS Security V1.0 (AFAIK not in 1.1 anymore) but this is backward compatibilty with 1.0 . Regards, Werner > -----Original Message----- > From: ext Dittmann, Werner (NSN - DE/Munich) > [mailto:[email protected]] > Sent: Thursday, June 18, 2009 12:18 PM > To: ext Mattias Sjölén (JIRA); [email protected] > Subject: RE: [jira] Created: (WSS-200) Compliance with X.509 > Certificate Token Profile > > WSS4J support several key identifier types, for example > SKI (Subject Key Identifier), X509v3, thumbprint and > others. It is the task of the software that uses WSS4J > library to select the key identifier type, thus the > "Java based tool om Windows" sould set the correct > parameters. Where do you (or the "tool") specify which > key identifier type (profile) to use? > > Regards, > Werner > > > -----Original Message----- > > From: ext Mattias Sjölén (JIRA) [mailto:[email protected]] > > Sent: Wednesday, June 17, 2009 7:54 PM > > To: [email protected] > > Subject: [jira] Created: (WSS-200) Compliance with X.509 > > Certificate Token Profile > > > > Compliance with X.509 Certificate Token Profile > > ----------------------------------------------- > > > > Key: WSS-200 > > URL: https://issues.apache.org/jira/browse/WSS-200 > > Project: WSS4J > > Issue Type: Bug > > Components: WSS4J Core > > Affects Versions: 1.5.7 > > Environment: I have been running a Java based tool > > om Windows that have wss4j-1.5.7.jar in it's lib folder so I > > quess that WSS4J is used internaly by the tool. > > Reporter: Mattias Sjölén > > Assignee: Ruchith Udayanga Fernando > > > > > > Chapter "3.2.1 Reference to an X.509 Subject Key Identifier" > > in the "Certificate Token Profile 1.1" specification states > > the following - "The <wsse:KeyIdentifier> element MUST have a > > ValueType attribute with the value #X509SubjectKeyIdentifier > > and its contents MUST be the value of the certificate's > > X.509v3 SubjectKeyIdentifier extension, encoded as per the > > <wsse:KeyIdentifier> element's EncodingType attribute." > > > > The tool I use signs an outgoing xml according to the > > specified policy and it will then contain the following tags: > > <wsse:SecurityTokenReference wsu:Id="STRId-14A576A8..." > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > -wss-wssecurity-utility-1.0.xsd"> > > <wsse:KeyIdentifier > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200 > 401-wss-soap-message-security-1.0#Base64Binary" > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > -wss-x509-token-profile-1.0#X509v3"> > > MIIEFzCCAv+gA... > > </wsse:KeyIdentifier> > > </wsse:SecurityTokenReference> > > > > Notice that the ValueType for the KeyIdentifier is #X509v3 > > instead of #X509SubjectKeyIdentifier > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > > -wss-x509-token-profile-1.0#X509v3" > > > > If I perform a Base64Decode on the value inside tha tag it > > contains a X.509 Certifikate and not a Subject Key Identifier > > > > -- > > This message is automatically generated by JIRA. > > - > > You can reply to this email to add a comment to the issue online. > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
