You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Werner Dittmann <We...@t-online.de> on 2004/05/08 13:07:17 UTC

Re: Absense of KeyInfo causes NullPointerException]

Rami, all

the specification recommends the use of keyInfo to wrap the
the wsse:SecurityTokenReference. Pls refer to chapter 7.1. 
However, I'll check the code to avoid the NPE. Nevertheless,
my idea here is to throw an exception if we don't find a
keyInfo element, because it is recommended to use it.

Any thoughts?

Regards,
Werner
  ----- Original Message ----- 
  From: Rami Jaamour 
  To: ws-fx-Dev 
  Sent: Friday, May 07, 2004 6:03 PM
  Subject: [Fwd: Absense of KeyInfo causes NullPointerException]


  Hello,
  Any comments on the issue below?

  Thank you,
  -- 

  Rami Jaamour
  Software Engineer
  SOAPtest Development
  Parasoft Corporation

  We Make Software Work


  -------- Original Message -------- Subject:  Absense of KeyInfo causes NullPointerException 
        Date:  Tue, 04 May 2004 14:53:03 -0700 
        From:  rjaamour@parasoft.com (Rami Jaamour) 
        To:  Apache ws-fx Dev <fx...@ws.apache.org> 


  OASIS WSS soap message security v1.0 reads, section 7.5, line 809 reads:

  <<
  7.5 ds:KeyInfo
  The <ds:KeyInfo> element (from XML Signature) can be used for carrying the key information 810 and is allowed for different key types and for future extensibility.
  ...
  >>

  This implies to me that the KeyInfo Element is optional for XML signature verification, is it? I couldn't confirm this so far. However, when attempting to verify a signed message without KeyInfo, WSS4J throws a NullPointerException from WSSecurityEngine.verifyXMLSignature() near line 457 because "info" is returned null at
  KeyInfo info = sig.getKeyInfo();

  Should WSS4J be able to verify a signature even when there is no KeyInfo element as long as the certificate information is available to it in the properties?

  Thanks,

  -- 
  Rami Jaamour
  Software Engineer
  SOAPtest Development
  Parasoft Corporation

  We Make Software Work

Re: Absense of KeyInfo causes NullPointerException]

Posted by Rami Jaamour <rj...@parasoft.com>.

So in general we would throw an Exception on the absence of a 
"RECOMMENDED" (not a "MUST") element?  My interpretation of these terms 
was that implementations should be able to process the message with the 
absence of the recommended element as long as it is possible (the rfc 
also requires good reasons for it). In this case, if the certificate is 
described in the properties file then WSS4J does have enough data to be 
able to consume the signature, right? I think other implementations can 
consume messages without KeyInfo.

Rami Jaamour
Software Engineer
SOAPtest <http://www.parasoft.com/jsp/products/home.jsp?product=SOAP> 
Development
Parasoft Corporation <http://www.parasoft.com>
/
We Make Software Work/


Werner Dittmann wrote:

> Rami, all
>  
> the specification recommends the use of keyInfo to wrap the
> the wsse:SecurityTokenReference. Pls refer to chapter 7.1.
> However, I'll check the code to avoid the NPE. Nevertheless,
> my idea here is to throw an exception if we don't find a
> keyInfo element, because it is recommended to use it.
>  
> Any thoughts?
>  
> Regards,
> Werner
>
>     ----- Original Message -----
>     *From:* Rami Jaamour <ma...@parasoft.com>
>     *To:* ws-fx-Dev <ma...@ws.apache.org>
>     *Sent:* Friday, May 07, 2004 6:03 PM
>     *Subject:* [Fwd: Absense of KeyInfo causes NullPointerException]
>
>     Hello,
>     Any comments on the issue below?
>
>     Thank you,
>     -- 
>     Rami Jaamour
>     Software Engineer
>     SOAPtest
>     <http://www.parasoft.com/jsp/products/home.jsp?product=SOAP>
>     Development
>     Parasoft Corporation <http://www.parasoft.com>
>     /
>     We Make Software Work/
>
>
>     -------- Original Message --------
>     Subject: 	Absense of KeyInfo causes NullPointerException
>     Date: 	Tue, 04 May 2004 14:53:03 -0700
>     From: 	rjaamour@parasoft.com (Rami Jaamour)
>     To: 	Apache ws-fx Dev <fx...@ws.apache.org>
>
>
>
>     OASIS WSS soap message security v1.0 reads, section 7.5, line 809
>     reads:
>
>     <<
>     7.5 ds:KeyInfo
>     The <ds:KeyInfo> element (from XML Signature) can be used for
>     carrying the key information 810 and is allowed for different key
>     types and for future extensibility.
>     ...
>     >>
>
>     This implies to me that the KeyInfo Element is optional for XML
>     signature verification, is it? I couldn't confirm this so far.
>     However, when attempting to verify a signed message without
>     KeyInfo, WSS4J throws a NullPointerException from
>     WSSecurityEngine.verifyXMLSignature() near line 457 because "info"
>     is returned null at
>     KeyInfo info = sig.getKeyInfo();
>
>     Should WSS4J be able to verify a signature even when there is no
>     KeyInfo element as long as the certificate information is
>     available to it in the properties?
>
>     Thanks,
>     -- 
>     Rami Jaamour
>     Software Engineer
>     SOAPtest
>     <http://www.parasoft.com/jsp/products/home.jsp?product=SOAP>
>     Development
>     Parasoft Corporation <http://www.parasoft.com>
>     /
>     We Make Software Work/
>
>