ws-fx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <dava...@gmail.com>
Subject Re: [WSS4J] NullPointerException in Merlin / .NET Interop issues
Date Thu, 28 Jul 2005 18:11:20 GMT
xml-security has some code for calculating the SKI if it is absent.

-- dims

On 7/28/05, Granqvist, Hans <hgranqvist@verisign.com> wrote:
> Hi Thilo,
> 
> I think this issue has been discussed on this list before.
> (Do you have access to the archives?)
> 
> To summarize:
> A cert without the OID SKI is still a valid cert since it
> is not a critical extension. The SKI is a derived value and
> there are two known ways of calculating SKI: the right way,
> and some funky way that appeared in some WSE revision.
> 
> In another project, we had to deal with certs lacking a SKI,
> and we solved it by calculating the SKI ourselves.
> 
> Hans
> 
> > -----Original Message-----
> > From: Thilo Frotscher [mailto:thilo.frotscher@web.de]
> > Sent: Thursday, July 28, 2005 9:04 AM
> > To: fx-dev@ws.apache.org
> > Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues
> >
> >
> >
> >
> > Hi all,
> >
> > we have an interoperablity issue between WSS4J and WSE. And
> > we believe to have found a bug in WSS4J. Please have a look
> > at it and give some advice.
> >
> > Scenario: We want to send an encrypted and signed message
> > from WSE to WSS4J. I created a key pair with keytool on Java
> > SE 5.0 and exported a certificate from my keystore (JCEKS).
> > This certificate was successfully imported on the .NET side.
> > The SOAP message that WSE sends to WSS4J looks ok.
> >
> > However, WSE uses a <SecurityTokenReference> with a
> > <KeyIdentifier> element. When this <SecurityTokenReference>
> > is processed by WSS4J a NullPointerException is thrown in
> > Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
> >
> > Reason for the exception: look at this code from
> > getSKIBytesFromCert...
> >
> > byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
> > if (cert.getVersion() < 3) {...}
> > byte abyte0[] = new byte[derEncodedValue.length - 4];
> >
> > The return value of cert.getExtensionValue(SKI_OID) is null
> > in our case. Thus, the third line fails. As stated in Sun's
> > API documentation, null return values can happen.
> >
> http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
> 
> 1) This should be enhanced so that NullPointerExceptions can't happen anymore.
> 2) What does it mean that null is returned? Does this mean that the certificate doesn't
have an extension?
> 3) Would it be still a valid certificate or is it invalid without the extension?
> 4) How can we resolve this issue? Do the certificates created by keytool/Java5.0 have
interop issues?
> 5) (maybe off-topic): does anybody know how .NET can be configured to send a <SecurityTokenReference>
with <X509IssuerSerial> instead of <KeyIdentifier>?
> 
> Thank you very much,
> Thilo
> 
> _________________________________________________________________________
> Mit der Gruppen-SMS von WEB.DE FreeMail k├Ânnen Sie eine SMS an alle
> Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
> 
> 
> 
> 
> 


-- 
Davanum Srinivas -http://blogs.cocoondev.org/dims/

Mime
View raw message