You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Werner Dittmann <We...@t-online.de> on 2004/05/08 13:07:17 UTC
Re: Absense of KeyInfo causes NullPointerException]
Rami, all
the specification recommends the use of keyInfo to wrap the
the wsse:SecurityTokenReference. Pls refer to chapter 7.1.
However, I'll check the code to avoid the NPE. Nevertheless,
my idea here is to throw an exception if we don't find a
keyInfo element, because it is recommended to use it.
Any thoughts?
Regards,
Werner
----- Original Message -----
From: Rami Jaamour
To: ws-fx-Dev
Sent: Friday, May 07, 2004 6:03 PM
Subject: [Fwd: Absense of KeyInfo causes NullPointerException]
Hello,
Any comments on the issue below?
Thank you,
--
Rami Jaamour
Software Engineer
SOAPtest Development
Parasoft Corporation
We Make Software Work
-------- Original Message -------- Subject: Absense of KeyInfo causes NullPointerException
Date: Tue, 04 May 2004 14:53:03 -0700
From: rjaamour@parasoft.com (Rami Jaamour)
To: Apache ws-fx Dev <fx...@ws.apache.org>
OASIS WSS soap message security v1.0 reads, section 7.5, line 809 reads:
<<
7.5 ds:KeyInfo
The <ds:KeyInfo> element (from XML Signature) can be used for carrying the key information 810 and is allowed for different key types and for future extensibility.
...
>>
This implies to me that the KeyInfo Element is optional for XML signature verification, is it? I couldn't confirm this so far. However, when attempting to verify a signed message without KeyInfo, WSS4J throws a NullPointerException from WSSecurityEngine.verifyXMLSignature() near line 457 because "info" is returned null at
KeyInfo info = sig.getKeyInfo();
Should WSS4J be able to verify a signature even when there is no KeyInfo element as long as the certificate information is available to it in the properties?
Thanks,
--
Rami Jaamour
Software Engineer
SOAPtest Development
Parasoft Corporation
We Make Software Work
Re: Absense of KeyInfo causes NullPointerException]
Posted by Rami Jaamour <rj...@parasoft.com>.
So in general we would throw an Exception on the absence of a
"RECOMMENDED" (not a "MUST") element? My interpretation of these terms
was that implementations should be able to process the message with the
absence of the recommended element as long as it is possible (the rfc
also requires good reasons for it). In this case, if the certificate is
described in the properties file then WSS4J does have enough data to be
able to consume the signature, right? I think other implementations can
consume messages without KeyInfo.
Rami Jaamour
Software Engineer
SOAPtest <http://www.parasoft.com/jsp/products/home.jsp?product=SOAP>
Development
Parasoft Corporation <http://www.parasoft.com>
/
We Make Software Work/
Werner Dittmann wrote:
> Rami, all
>
> the specification recommends the use of keyInfo to wrap the
> the wsse:SecurityTokenReference. Pls refer to chapter 7.1.
> However, I'll check the code to avoid the NPE. Nevertheless,
> my idea here is to throw an exception if we don't find a
> keyInfo element, because it is recommended to use it.
>
> Any thoughts?
>
> Regards,
> Werner
>
> ----- Original Message -----
> *From:* Rami Jaamour <ma...@parasoft.com>
> *To:* ws-fx-Dev <ma...@ws.apache.org>
> *Sent:* Friday, May 07, 2004 6:03 PM
> *Subject:* [Fwd: Absense of KeyInfo causes NullPointerException]
>
> Hello,
> Any comments on the issue below?
>
> Thank you,
> --
> Rami Jaamour
> Software Engineer
> SOAPtest
> <http://www.parasoft.com/jsp/products/home.jsp?product=SOAP>
> Development
> Parasoft Corporation <http://www.parasoft.com>
> /
> We Make Software Work/
>
>
> -------- Original Message --------
> Subject: Absense of KeyInfo causes NullPointerException
> Date: Tue, 04 May 2004 14:53:03 -0700
> From: rjaamour@parasoft.com (Rami Jaamour)
> To: Apache ws-fx Dev <fx...@ws.apache.org>
>
>
>
> OASIS WSS soap message security v1.0 reads, section 7.5, line 809
> reads:
>
> <<
> 7.5 ds:KeyInfo
> The <ds:KeyInfo> element (from XML Signature) can be used for
> carrying the key information 810 and is allowed for different key
> types and for future extensibility.
> ...
> >>
>
> This implies to me that the KeyInfo Element is optional for XML
> signature verification, is it? I couldn't confirm this so far.
> However, when attempting to verify a signed message without
> KeyInfo, WSS4J throws a NullPointerException from
> WSSecurityEngine.verifyXMLSignature() near line 457 because "info"
> is returned null at
> KeyInfo info = sig.getKeyInfo();
>
> Should WSS4J be able to verify a signature even when there is no
> KeyInfo element as long as the certificate information is
> available to it in the properties?
>
> Thanks,
> --
> Rami Jaamour
> Software Engineer
> SOAPtest
> <http://www.parasoft.com/jsp/products/home.jsp?product=SOAP>
> Development
> Parasoft Corporation <http://www.parasoft.com>
> /
> We Make Software Work/
>
>