ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner (NSN - DE/Munich)" <werner.dittm...@nsn.com>
Subject RE: [jira] Commented: (WSS-200) Compliance with X.509 Certificate Token Profile
Date Thu, 18 Jun 2009 13:39:04 GMT
The X509_KEY_IDENTIFIER was built into WSS4J to satisfy some
interop tests. If you look into wss4j SVN repository there is
a "specs" directory that contains the interop documents. 

The document *-interop2-draft*.pdf, chapter 4.4.2.2.3 defines 
this behaviour. The non-normative example (see line 565ff, page 18)
shows the XML coding for this.

Other examples of the interop docs show other ways how to
identify a key. Please note that these interop docs refer to
version 1.0 of WS Security.

Also chapter 7.3 of the overall document allows various value 
types to define other key identifier types, to be defined in profiles.
As Colm stated, the X509 profile does not forbid this X509 use
and the guys who wrote the interop specs just used this freedom :-)

Regards,
Werner

> -----Original Message-----
> From: ext Colm O hEigeartaigh (JIRA) [mailto:jira@apache.org] 
> Sent: Thursday, June 18, 2009 2:49 PM
> To: wss4j-dev@ws.apache.org
> Subject: [jira] Commented: (WSS-200) Compliance with X.509 
> Certificate Token Profile
> 
> 
>     [ 
> https://issues.apache.org/jira/browse/WSS-200?page=com.atlassi
> an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedC
> ommentId=12721233#action_12721233 ] 
> 
> Colm O hEigeartaigh commented on WSS-200:
> -----------------------------------------
> 
> 
> It's not WSS4J's fault if other programs are calling the 
> wrong API's...as Werner said, it must be using 
> X509_KEY_IDENTIFIER instead of SKI_KEY_IDENTIFIER. 
> 
> The X.509 1.0 profile doesn't mandate using SKI as a 
> KeyIdentifier, so it's perfectly acceptable to support the 
> X509_KEY_IDENTIFIER behaviour.
> 
> > Compliance with X.509 Certificate Token Profile
> > -----------------------------------------------
> >
> >                 Key: WSS-200
> >                 URL: https://issues.apache.org/jira/browse/WSS-200
> >             Project: WSS4J
> >          Issue Type: Bug
> >          Components: WSS4J Core
> >    Affects Versions: 1.5.7
> >         Environment: I have been running a Java based tool 
> om Windows that have wss4j-1.5.7.jar in it's lib folder so I 
> quess that WSS4J is used internaly by the tool.
> >            Reporter: Mattias Sjölén
> >            Assignee: Ruchith Udayanga Fernando
> >
> > Chapter "3.2.1 Reference to an X.509 Subject Key 
> Identifier" in the "Certificate Token Profile 1.1" 
> specification states the following - "The 
> <wsse:KeyIdentifier> element MUST have a ValueType attribute 
> with the value #X509SubjectKeyIdentifier and its contents 
> MUST be the value of the certificate's X.509v3 
> SubjectKeyIdentifier extension, encoded as per the 
> <wsse:KeyIdentifier> element's EncodingType attribute."
> > The tool I use signs an outgoing xml according to the 
> specified policy and it will then contain the following tags:
> > <wsse:SecurityTokenReference wsu:Id="STRId-14A576A8..." 
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-wssecurity-utility-1.0.xsd">
> >   <wsse:KeyIdentifier 
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200
> 401-wss-soap-message-security-1.0#Base64Binary" 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-x509-token-profile-1.0#X509v3">
> >     MIIEFzCCAv+gA...
> >   </wsse:KeyIdentifier>
> > </wsse:SecurityTokenReference>
> > Notice that the ValueType for the KeyIdentifier is #X509v3 
> instead of #X509SubjectKeyIdentifier
> > 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> -wss-x509-token-profile-1.0#X509v3"
> > If I perform a Base64Decode on the value inside tha tag it 
> contains a X.509 Certifikate and not a Subject Key Identifier
> 
> -- 
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message