You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Yevgeny Rouban <yr...@gmail.com> on 2006/04/21 08:21:08 UTC
Re: X509Data in Encryption KeyInfo
Hello.
I encountered the same issue with different wrapping of the
IssuerSerial and found this thread. But from this discussion its not
quite clear why WSS4J (version 1.1) generates the following XML
omitting the X509Data element around the X509IssuerSerial element:
<ds:KeyInfo ...>
<wsse:SecurityTokenReference ...>
<ds:X509IssuerSerial ...>
<ds:X509IssuerName ...> ...</ds:X509IssuerName>
<ds:X509SerialNumber ...>...</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
The oasis-200401-wss-x509-token-profile-1.0.pdf (Section 3.2 Token
References) reads:
"Reference to an Issuer and Serial Number
The <wsse:SecurityTokenReference> element contains a <ds:X509Data>
element that contains a <ds:X509IssuerSerial> element that uniquely
identifies an end entity
certificate by its X.509 Issuer and Serial Number."
The only place in the spec where the X509Data element is omitted is
the example in the Section 3.4 Encryption. I believe that is a typo.
And this is corrected in the oasis-wss-x509-token-profile-1.1.pdf.
I expect the following structure:
<ds:KeyInfo ...>
<wsse:SecurityTokenReference ...>
<ds:X509Data>
<ds:X509IssuerSerial ...>
<ds:X509IssuerName ...> ...</ds:X509IssuerName>
<ds:X509SerialNumber ...>...</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
I believe that this is a bug of WSS4J 1.1 and a bug of those
implementations that WSS4J is interoperable with. If I am wrong, could
you please explain why? Are there any clarifications on this?
I would suggest to fix WSS4J 1.1 so that it could accept both variants
(with and without the X509Data element). Otherwise other
implementations to be interoperable with WSS4J 1.1 would have to
generate incorrect XML.
--
Yevgeny Rouban
INTEL Middleware Product Division
>-----Original Message-----
>Subject: X509Data in Encryption KeyInfo
>
>Alex,
>
>I've just checked the head of the SVN and this is supported. The
>heade of SVN has some WSS spec 1.1 features and we cleaned up this
>ambiguity as well. We did not change WSS4J 1.1 because the interops
>we did with this version were successfull.
>
>The current version (SVN head) accepts both vraiants at the receiver
>side.
>
>Regards,
>Werner
>
>> -----Ursprüngliche Nachricht-----
>> Von: Alex Horwitz [mailto:AHorwitz@midwestiso.org]
>> Gesendet: Montag, 23. Januar 2006 15:34
>> An: Dittmann, Werner; wss4j-dev@ws.apache.org
>> Betreff: RE: X509Data in Encryption KeyInfo
>>
>> Thanks for the quick reply Werner.
>>
>> My point of reference was the x509 token profile 1.0 section
>> 3.2.3, which prefers the x509 issuer/serial reference be
>> wrapped in an <X509Data> element. I do see, however, that
>> they disregard this guidance in 3.4 Encryption, and wss4j is
>> consistent with this example. I do see that in the 1.1 spec
>> http://www.oasis-open.org/committees/download.php/15253/oasis-
>> wss-x509-token-profile-1.1.pdf it appears they've cleaned this up.
>>
>> Unfortunately, WebLogic 9.0 does generate and expect the
>> <X509Data> element, and because of the ambiguity in the spec,
>> I can't exactly open an SR against them for this.
>>
>> Ah well.
>>
>> -Alex
>>
>>
>> -----Original Message-----
>> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
>> Sent: Monday, January 23, 2006 8:55 AM
>> To: Alex Horwitz; wss4j-dev@ws.apache.org
>> Subject: AW: X509Data in Encryption KeyInfo
>>
>>
>> Alex,
>>
>> the X509Data element is a contaier that can hold several data
>> types. Currently WSS4J support the IssuerSerial data inside
>> a X509Data - other data elements / types are not defined by
>> the WS Security specifications (V1.0 specs).
>>
>> Regards,
>> Werner
>>
>>
>> > -----Ursprüngliche Nachricht-----
>> > Von: Alex Horwitz [mailto:AHorwitz@midwestiso.org]
>> > Gesendet: Montag, 23. Januar 2006 14:44
>> > An: wss4j-dev@ws.apache.org
>> > Betreff: X509Data in Encryption KeyInfo
>> >
>> > Hello All!
>> >
>> > This issue has come up before:
>> >
>> > http://mail-archives.apache.org/mod_mbox/ws-fx-dev/200409.mbox
>> /%3c79D5F4B2D775204D9C7852EE41C5477303E9D459>
>> @mchh2a1e.mchh.siemens.de%3e
>> >
>> > but, essentially, I'm testing interoperability between
>> > WebLogic 9.0 and Axis1.2.1/WSS4J1.1, and my only roadblock is
>> > the inability of WSS4J to consume/generate the X509Data
>> > element in the EncryptedKey/KeyInfo/SecurityTokenReference/ .
>> > Has anyone else encountered this problem? Or, more
>> > modestly, is this a problem in my interpretation or did I
>> > ignorantly miss a more recent follow-up that clarifies this issue.
>> >
>> > Thanks very much for you help.
>> >
>> > -Alex
>> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org