ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner (JIRA)" <>
Subject [jira] Commented: (WSS-200) Compliance with X.509 Certificate Token Profile
Date Thu, 18 Jun 2009 11:07:07 GMT


Dittmann, Werner commented on WSS-200:

Just checked this: this is the WSS4J handler key identifier code
"X509KeyIdentifier", the tool should use "SKIKeyIdentifier"

Or, if the tool uses it programatically:
WSConstants.SKI_KEY_IDENTIFIER instead of WSConstants.X509_KEY_IDENTIFIER

The X509KeyIdentifier was defined in X509 profile of 
WS Security V1.0 (AFAIK not in 1.1 anymore) but this is
backward compatibilty with 1.0 .


> Compliance with X.509 Certificate Token Profile
> -----------------------------------------------
>                 Key: WSS-200
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.7
>         Environment: I have been running a Java based tool om Windows that have wss4j-1.5.7.jar
in it's lib folder so I quess that WSS4J is used internaly by the tool.
>            Reporter: Mattias Sjölén
>            Assignee: Ruchith Udayanga Fernando
> Chapter "3.2.1 Reference to an X.509 Subject Key Identifier" in the "Certificate Token
Profile 1.1" specification states the following - "The <wsse:KeyIdentifier> element
MUST have a ValueType attribute with the value #X509SubjectKeyIdentifier and its contents
MUST be the value of the certificate's X.509v3 SubjectKeyIdentifier extension, encoded as
per the <wsse:KeyIdentifier> element's EncodingType attribute."
> The tool I use signs an outgoing xml according to the specified policy and it will then
contain the following tags:
> <wsse:SecurityTokenReference wsu:Id="STRId-14A576A8..." xmlns:wsu="">
>   <wsse:KeyIdentifier EncodingType=""
>     MIIEFzCCAv+gA...
>   </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> Notice that the ValueType for the KeyIdentifier is #X509v3 instead of #X509SubjectKeyIdentifier
> ValueType=""
> If I perform a Base64Decode on the value inside tha tag it contains a X.509 Certifikate
and not a Subject Key Identifier

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message