You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Davanum Srinivas <da...@gmail.com> on 2005/07/28 20:11:20 UTC
Re: [WSS4J] NullPointerException in Merlin / .NET Interop issues
xml-security has some code for calculating the SKI if it is absent.
-- dims
On 7/28/05, Granqvist, Hans <hg...@verisign.com> wrote:
> Hi Thilo,
>
> I think this issue has been discussed on this list before.
> (Do you have access to the archives?)
>
> To summarize:
> A cert without the OID SKI is still a valid cert since it
> is not a critical extension. The SKI is a derived value and
> there are two known ways of calculating SKI: the right way,
> and some funky way that appeared in some WSE revision.
>
> In another project, we had to deal with certs lacking a SKI,
> and we solved it by calculating the SKI ourselves.
>
> Hans
>
> > -----Original Message-----
> > From: Thilo Frotscher [mailto:thilo.frotscher@web.de]
> > Sent: Thursday, July 28, 2005 9:04 AM
> > To: fx-dev@ws.apache.org
> > Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues
> >
> >
> >
> >
> > Hi all,
> >
> > we have an interoperablity issue between WSS4J and WSE. And
> > we believe to have found a bug in WSS4J. Please have a look
> > at it and give some advice.
> >
> > Scenario: We want to send an encrypted and signed message
> > from WSE to WSS4J. I created a key pair with keytool on Java
> > SE 5.0 and exported a certificate from my keystore (JCEKS).
> > This certificate was successfully imported on the .NET side.
> > The SOAP message that WSE sends to WSS4J looks ok.
> >
> > However, WSE uses a <SecurityTokenReference> with a
> > <KeyIdentifier> element. When this <SecurityTokenReference>
> > is processed by WSS4J a NullPointerException is thrown in
> > Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
> >
> > Reason for the exception: look at this code from
> > getSKIBytesFromCert...
> >
> > byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
> > if (cert.getVersion() < 3) {...}
> > byte abyte0[] = new byte[derEncodedValue.length - 4];
> >
> > The return value of cert.getExtensionValue(SKI_OID) is null
> > in our case. Thus, the third line fails. As stated in Sun's
> > API documentation, null return values can happen.
> >
> http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
>
> 1) This should be enhanced so that NullPointerExceptions can't happen anymore.
> 2) What does it mean that null is returned? Does this mean that the certificate doesn't have an extension?
> 3) Would it be still a valid certificate or is it invalid without the extension?
> 4) How can we resolve this issue? Do the certificates created by keytool/Java5.0 have interop issues?
> 5) (maybe off-topic): does anybody know how .NET can be configured to send a <SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>?
>
> Thank you very much,
> Thilo
>
> _________________________________________________________________________
> Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
> Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
>
>
>
>
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
Re: [WSS4J] NullPointerException in Merlin / .NET Interop issues
Posted by Thilo Frotscher <th...@web.de>.
Hello,
thank you very much for your answers. I have access
to the archive and found an early discussion. I now
understand that my certificate probably doesn't
contain an SKI and that it can be calculated at
runtime. .NET seems to do just that.
However, I don't understand how that could help with
our issue...
Use case: The certificate was created with keytool, then
exported from the Java keystore and imported into .NET.
Then .NET sends a message to WSS4J using an encrypted key
that was encrypted using this cert. WSS4J fails because
there is no SKI.
- How does it help if I can calculate the SKI myself?
Where and when in this use case should I do that?
Do you mean I should include the corresponding code
into WSS4J? If yes, shouldn't that be done for
everybody, as an official patch?
- Can't keytool create certs that contain an SKI?
If not: *how* can I create a certificate that contains
SKIs???
- Is there a tool that shows me if a certificate contains
an SKI?
Any help is very much appreciated!
Thilo
Davanum Srinivas schrieb:
> xml-security has some code for calculating the SKI if it is absent.
>
> -- dims
>
> On 7/28/05, Granqvist, Hans <hg...@verisign.com> wrote:
>
>>Hi Thilo,
>>
>>I think this issue has been discussed on this list before.
>>(Do you have access to the archives?)
>>
>>To summarize:
>>A cert without the OID SKI is still a valid cert since it
>>is not a critical extension. The SKI is a derived value and
>>there are two known ways of calculating SKI: the right way,
>>and some funky way that appeared in some WSE revision.
>>
>>In another project, we had to deal with certs lacking a SKI,
>>and we solved it by calculating the SKI ourselves.
>>
>>Hans
>>
>>
>>>-----Original Message-----
>>>From: Thilo Frotscher [mailto:thilo.frotscher@web.de]
>>>Sent: Thursday, July 28, 2005 9:04 AM
>>>To: fx-dev@ws.apache.org
>>>Subject: [WSS4J] NullPointerException in Merlin / .NET Interop issues
>>>
>>>
>>>
>>>
>>>Hi all,
>>>
>>>we have an interoperablity issue between WSS4J and WSE. And
>>>we believe to have found a bug in WSS4J. Please have a look
>>>at it and give some advice.
>>>
>>>Scenario: We want to send an encrypted and signed message
>>>from WSE to WSS4J. I created a key pair with keytool on Java
>>>SE 5.0 and exported a certificate from my keystore (JCEKS).
>>>This certificate was successfully imported on the .NET side.
>>>The SOAP message that WSE sends to WSS4J looks ok.
>>>
>>>However, WSE uses a <SecurityTokenReference> with a
>>><KeyIdentifier> element. When this <SecurityTokenReference>
>>>is processed by WSS4J a NullPointerException is thrown in
>>>Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
>>>
>>>Reason for the exception: look at this code from
>>>getSKIBytesFromCert...
>>>
>>>byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
>>>if (cert.getVersion() < 3) {...}
>>>byte abyte0[] = new byte[derEncodedValue.length - 4];
>>>
>>>The return value of cert.getExtensionValue(SKI_OID) is null
>>>in our case. Thus, the third line fails. As stated in Sun's
>>>API documentation, null return values can happen.
>>>
>>
>>http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
>>
>>1) This should be enhanced so that NullPointerExceptions can't happen anymore.
>>2) What does it mean that null is returned? Does this mean that the certificate doesn't have an extension?
>>3) Would it be still a valid certificate or is it invalid without the extension?
>>4) How can we resolve this issue? Do the certificates created by keytool/Java5.0 have interop issues?
>>5) (maybe off-topic): does anybody know how .NET can be configured to send a <SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>?
>>
>>Thank you very much,
>>Thilo
>>
>>_________________________________________________________________________
>>Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
>>Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
>>
>>
>>
>>
>>
>
>
>