ws-fx-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Granqvist, Hans" <>
Subject RE: [WSS4J] NullPointerException in Merlin / .NET Interop issues
Date Thu, 28 Jul 2005 18:08:38 GMT
Hi Thilo,

I think this issue has been discussed on this list before.
(Do you have access to the archives?)

To summarize:
A cert without the OID SKI is still a valid cert since it
is not a critical extension. The SKI is a derived value and
there are two known ways of calculating SKI: the right way,
and some funky way that appeared in some WSE revision. 

In another project, we had to deal with certs lacking a SKI,
and we solved it by calculating the SKI ourselves.


> -----Original Message-----
> From: Thilo Frotscher [] 
> Sent: Thursday, July 28, 2005 9:04 AM
> To:
> Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues 
> Hi all,
> we have an interoperablity issue between WSS4J and WSE. And 
> we believe to have found a bug in WSS4J. Please have a look 
> at it and give some advice.
> Scenario: We want to send an encrypted and signed message 
> from WSE to WSS4J. I created a key pair with keytool on Java 
> SE 5.0 and exported a certificate from my keystore (JCEKS). 
> This certificate was successfully imported on the .NET side. 
> The SOAP message that WSE sends to WSS4J looks ok. 
> However, WSE uses a <SecurityTokenReference> with a 
> <KeyIdentifier> element. When this <SecurityTokenReference> 
> is processed by WSS4J a NullPointerException is thrown in 
> Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
> Reason for the exception: look at this code from 
> getSKIBytesFromCert...
> byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
> if (cert.getVersion() < 3) {...}
> byte abyte0[] = new byte[derEncodedValue.length - 4];
> The return value of cert.getExtensionValue(SKI_OID) is null 
> in our case. Thus, the third line fails. As stated in Sun's 
> API documentation, null return values can happen.

1) This should be enhanced so that NullPointerExceptions can't happen anymore.
2) What does it mean that null is returned? Does this mean that the certificate doesn't have
an extension? 
3) Would it be still a valid certificate or is it invalid without the extension?
4) How can we resolve this issue? Do the certificates created by keytool/Java5.0 have interop
5) (maybe off-topic): does anybody know how .NET can be configured to send a <SecurityTokenReference>
with <X509IssuerSerial> instead of <KeyIdentifier>?

Thank you very much,

Mit der Gruppen-SMS von WEB.DE FreeMail k├Ânnen Sie eine SMS an alle 
Freunde gleichzeitig schicken:

View raw message