You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Mayank Mishra <ma...@pramati.com> on 2008/02/26 11:44:02 UTC
Usage of X509 certificates in WSS4J
G'day all,
I am using WSS4J 1.5.1. I created X509 public keys and certificates from
Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates.
Please let me know if it creates v3 certificates, which in my opinion
doesn't do.
Looking at the on the wire message sent from client to server or
otherwise, I observe Token Reference, the value of the "Valuetype"
attribute in the "KeyIdentifier" element is
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were
included in the spec, in X509 Certificate Token Profile 1.0, only X509v3
certificates were there to be used.
Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please
clarify me if I am wrong.
Since, X509v3 certs have some more extension elements over X509v1. It
should give some error, when passing X509v1 for cryptos creation. Or, it
silently use X509v1, but then the valuetype should be "#x509v1" instead
of "#x509v3".
There is a bit of confusion. Kindly clarify.
With Regards,
Mayank
Re: Usage of X509 certificates in WSS4J
Posted by Mayank Mishra <ma...@pramati.com>.
Thanks Arundel,
I never knew about WSS4J mailing list. I will start a thread in regard
to this on WSS4J mailing list.
With Regards,
Mayank
Arundel, Donal wrote:
> Okay, sounds like the certs were as we suspected then :-)
>
> If you were proposing a WSS4J enhancement request for x509TokenProfile
> 1.1 then perhaps it might be worth throwing a query to the WSS4J mail
> list?
> Obviously for this sort of extension we shouldn't add the logic into CXF
> itself.
>
> Cheers,
> Donal
>
>
> -----Original Message-----
> From: Mayank Mishra [mailto:mayank@pramati.com]
> Sent: 28 February 2008 05:16
> To: cxf-user@incubator.apache.org
> Subject: Re: Usage of X509 certificates in WSS4J
>
> Mayank Mishra wrote:
>
>> Arundel, Donal wrote:
>>
>>> Sure, assuming you mean from the command line then download the
>>> excellent openssl utility from www.openssl.org.
>>>
>>> Then execute:
>>>
>>> "openssl x509 -in MyCertfile.pem -inform PEM -text"
>>>
>>> This will give a nice printout of the cert details, including a
>>>
> listing
>
>>> of the x.509v3 extensions rpesent.
>>> The above command line assume the cert is in PEM format (base 64
>>> encoded),
>>> DER format is also supported (The Java language specific jks file
>>>
> format
>
>>> is not supported by openssl).
>>>
>>> (Aside: If you wanted to query certs programmatically then you could
>>>
> use
>
>>> the JDKs x.509 interface which gives you access to the extensions,
>>>
> and
>
>>> also to the version number of the certificate)
>>>
>>>
>> I debugged MerlinCrypto instance created by WSS4J and checked the
>> version number in the sun.security.x509.X509CertInfo instance. It has
>> Version: v1 as CertificateVersion value.
>>
>>> The Email address data you refer to below appears to be just part of
>>>
> the
>
>>> distinguished name of both the Issuer and Subject.
>>> This by itself is not evidence of an x.509v43 extension being
>>>
> present.
>
>>> There is at least one defined X.509v3 extension that can be used for
>>> e-mail addresses (e.g. the emailAddress extension), but from the
>>>
> extract
>
>>> you have posted its not clear if this is specified in your cert.
>>> I suspect its unlikely base don what you have said so far.
>>>
>>> Anyway openssl will make this clear.
>>>
>>> If you are on Windows you could just download the pre built binaries
>>> executable from http://www.openssl.org/related/binaries.html
>>> I normally just build openssl myself, and haven't used that specific
>>> link personally - but it is listed on the main openssl.org webpage so
>>> hopefully should work.
>>>
>>>
>> Thanks Arundel for the link. I used the pre built binaries from the
>> URL. I followed the following,
>> 1. Exported the certificate to .CER format from the keytool -export
>> command.
>> 2. Converted CER format to PEM format using openssl command x509
>> -inform der -in MYCERT.cer -out MYCERT.pem
>> 3. Checked the version using openssl command x509 -in MYCERT.pem
>> -inform PEM -text
>>
>> I saw following information along with Validity, Subject, Subject
>> Public Key Info and Certificate:
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 1173183211 (0x45ed5aeb)
>> Signature Algorithm: md5WithRSAEncryption
>>
>> I guess I can confirm seeing above that the certificates I am using
>> are of version v1. Also, no extension information was there.
>>
>> Hence, in this case the certificates I am passing to WSS4J are x509v1,
>>
>
>
>> and the expected valueType must be #x509v1.
>>
>> In case I am right, WSS4J supports OASIS X.509 Certificate Token
>> Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509
>> Certificate Token Profile 1.1 [2] are following:
>>
>> 1. Inclusion of X.509 version 1 certificates (I dont' know the reason
>> of going back).
>> 2. Allowing only X.509 version 3 certificates to be used in Key
>> Identifier reference.
>>
>> We can change the above and can support Token Profile 1.1.
>>
>> With Regards,
>> Mayank
>>
>> [1].
>>
>>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profi
> le-1.0.pdf
>
>> [2].
>>
>>
> http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pd
> f
>
> or atleast we can check certificate version and can put right value as
> "#x509v1" of 'ValueType' attribute in Key Identifier reference.
>
> With Regards,
> Mayank
>
>
>>> I could probably mail you a statically built version for one of the
>>>
> most
>
>>> popular Unix platforms if that's any use to you, and save you the
>>>
> hassle
>
>>> of building it..
>>>
>>>
>>>
>>>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity,
>>>> ST=mystate, C=mycountry, EMAILADDRESS=me@mycompany.com
>>>>
>>>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>>>
>>>> Is there any way through which I can verify whether my certificate
>>>>
> is
>
>>>>
>>>>
>>> v3
>>>
>>>> certificate having no extension or v1 certificate?
>>>>
>>>>
>>> Cheers,
>>> Donal
>>>
>>> -----Original Message-----
>>> From: Mayank Mishra [mailto:mayank@pramati.com] Sent: 26 February
>>> 2008 14:10
>>> To: cxf-user@incubator.apache.org
>>> Subject: Re: Usage of X509 certificates in WSS4J
>>>
>>> Arundel, Donal wrote:
>>>
>>>
>>>> Unless x.509v3 Certificates are present in your created certificate
>>>> there
>>>> is no requirement that the certificate version number is 3.
>>>>
>>>> If either the X.509 issuerUniqueID or subjectUniqueID fields are
>>>>
>>>>
>>> present
>>>
>>>
>>>> the certificate must be at least version 2.
>>>> However there is nothing actually stopping somebody creating a
>>>> certificate with no x.509v3 extensions, and also no issuerUniqueID
>>>>
> or
>
>>>> subjectUniqueID, ..and having a version of 3. A version of 1 would
>>>> strictly be more correct though.
>>>>
>>>>
>>> Yes, I agree with you.
>>>
>>>
>>>> I don't know offhand if Keytool gives you explicit control over the
>>>>
>>>>
>>> version number or whether it just calculates the version from the
>>>
>>>
>>>> logical certificate request data when creating the certificate.
>>>>
>>>>
>>> I generated public key certificates and private keys from keytool
>>> only. According to [1], It generates v1 certificates and can
>>> import/export v1,
>>>
>>> v2, and v3 certificates..
>>> But I am suspecting it because when while printing out the
>>> certificate, I get following along with SerialNumber, Certificate
>>> fingerprints.
>>>
>>> Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>>> C=mycountry, EMAILADDRESS=me@mycompany.com
>>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>>>
>
>
>>> C=mycountry, EMAILADDRESS=me@mycompany.com
>>>
>>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>>
>>> Is there any way through which I can verify whether my certificate is
>>>
> v3
>
>>> certificate having no extension or v1 certificate?
>>>
>>>
>>>> Generally all CA certificates must have extensions indicating that
>>>>
>>>>
>>> they
>>>
>>>
>>>> are CAs, so they should have a version number of 3.
>>>> Application certs on the other hand may vary depending on their
>>>>
>>>>
>>> content
>>>
>>>
>>>> and anticipated usage.
>>>>
>>>> Cheers,
>>>> Donal
>>>>
>>>>
>>> With Regards,
>>> Mayank
>>>
>>> [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>>>
>>>
>>>>
>>>> -----Original Message-----
>>>> From: Mayank Mishra [mailto:mayank@pramati.com] Sent: 26 February
>>>> 2008 10:44
>>>> To: cxf-user@incubator.apache.org
>>>> Subject: Usage of X509 certificates in WSS4J
>>>>
>>>> G'day all,
>>>>
>>>> I am using WSS4J 1.5.1. I created X509 public keys and certificates
>>>>
>>>>
>>> from
>>>
>>>
>>>> Sun Microsystems Keytool utility. AFAIK, it created X509v1
>>>>
>>>>
>>> certificates.
>>>
>>>
>>>> Please let me know if it creates v3 certificates, which in my
>>>> opinion doesn't do.
>>>> Looking at the on the wire message sent from client to server or
>>>> otherwise, I observe Token Reference, the value of the "Valuetype"
>>>> attribute in the "KeyIdentifier" element is
>>>>
>>>>
>>>>
>>>>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
>
>>>
>>>
>>>> ile-1.0#X509v3"
>>>>
>>>> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates
>>>>
>>>>
>>> were
>>>
>>>> included in the spec, in X509 Certificate Token Profile 1.0, only
>>>>
>>>>
>>> X509v3
>>>
>>>
>>>> certificates were there to be used.
>>>>
>>>> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0.
>>>>
>>>>
>>> Please
>>>
>>>> clarify me if I am wrong.
>>>>
>>>> Since, X509v3 certs have some more extension elements over X509v1.
>>>> It should give some error, when passing X509v1 for cryptos creation.
>>>>
>
>
>>>> Or,
>>>>
>>>>
>>> it
>>>
>>>
>>>> silently use X509v1, but then the valuetype should be "#x509v1"
>>>>
>>>>
>>> instead
>>>
>>>> of "#x509v3".
>>>>
>>>> There is a bit of confusion. Kindly clarify.
>>>>
>>>> With Regards,
>>>> Mayank
>>>>
>>>> ----------------------------
>>>> IONA Technologies PLC (registered in Ireland)
>>>> Registered Number: 171387
>>>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>>>>
>>>>
>>> Ireland
>>>
>>>
>>>>
>>>>
>>> ----------------------------
>>> IONA Technologies PLC (registered in Ireland)
>>> Registered Number: 171387
>>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>>> Ireland
>>>
>>>
>>>
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
>
RE: Usage of X509 certificates in WSS4J
Posted by "Arundel, Donal" <do...@iona.com>.
Okay, sounds like the certs were as we suspected then :-)
If you were proposing a WSS4J enhancement request for x509TokenProfile
1.1 then perhaps it might be worth throwing a query to the WSS4J mail
list?
Obviously for this sort of extension we shouldn't add the logic into CXF
itself.
Cheers,
Donal
-----Original Message-----
From: Mayank Mishra [mailto:mayank@pramati.com]
Sent: 28 February 2008 05:16
To: cxf-user@incubator.apache.org
Subject: Re: Usage of X509 certificates in WSS4J
Mayank Mishra wrote:
> Arundel, Donal wrote:
>> Sure, assuming you mean from the command line then download the
>> excellent openssl utility from www.openssl.org.
>>
>> Then execute:
>>
>> "openssl x509 -in MyCertfile.pem -inform PEM -text"
>>
>> This will give a nice printout of the cert details, including a
listing
>> of the x.509v3 extensions rpesent.
>> The above command line assume the cert is in PEM format (base 64
>> encoded),
>> DER format is also supported (The Java language specific jks file
format
>> is not supported by openssl).
>>
>> (Aside: If you wanted to query certs programmatically then you could
use
>> the JDKs x.509 interface which gives you access to the extensions,
and
>> also to the version number of the certificate)
>>
>
> I debugged MerlinCrypto instance created by WSS4J and checked the
> version number in the sun.security.x509.X509CertInfo instance. It has
> Version: v1 as CertificateVersion value.
>> The Email address data you refer to below appears to be just part of
the
>> distinguished name of both the Issuer and Subject.
>> This by itself is not evidence of an x.509v43 extension being
present.
>>
>> There is at least one defined X.509v3 extension that can be used for
>> e-mail addresses (e.g. the emailAddress extension), but from the
extract
>> you have posted its not clear if this is specified in your cert.
>> I suspect its unlikely base don what you have said so far.
>>
>> Anyway openssl will make this clear.
>>
>> If you are on Windows you could just download the pre built binaries
>> executable from http://www.openssl.org/related/binaries.html
>> I normally just build openssl myself, and haven't used that specific
>> link personally - but it is listed on the main openssl.org webpage so
>> hopefully should work.
>>
> Thanks Arundel for the link. I used the pre built binaries from the
> URL. I followed the following,
> 1. Exported the certificate to .CER format from the keytool -export
> command.
> 2. Converted CER format to PEM format using openssl command x509
> -inform der -in MYCERT.cer -out MYCERT.pem
> 3. Checked the version using openssl command x509 -in MYCERT.pem
> -inform PEM -text
>
> I saw following information along with Validity, Subject, Subject
> Public Key Info and Certificate:
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 1173183211 (0x45ed5aeb)
> Signature Algorithm: md5WithRSAEncryption
>
> I guess I can confirm seeing above that the certificates I am using
> are of version v1. Also, no extension information was there.
>
> Hence, in this case the certificates I am passing to WSS4J are x509v1,
> and the expected valueType must be #x509v1.
>
> In case I am right, WSS4J supports OASIS X.509 Certificate Token
> Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509
> Certificate Token Profile 1.1 [2] are following:
>
> 1. Inclusion of X.509 version 1 certificates (I dont' know the reason
> of going back).
> 2. Allowing only X.509 version 3 certificates to be used in Key
> Identifier reference.
>
> We can change the above and can support Token Profile 1.1.
>
> With Regards,
> Mayank
>
> [1].
>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profi
le-1.0.pdf
>
> [2].
>
http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pd
f
>
or atleast we can check certificate version and can put right value as
"#x509v1" of 'ValueType' attribute in Key Identifier reference.
With Regards,
Mayank
>
>> I could probably mail you a statically built version for one of the
most
>> popular Unix platforms if that's any use to you, and save you the
hassle
>> of building it..
>>
>>
>>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity,
>>> ST=mystate, C=mycountry, EMAILADDRESS=me@mycompany.com
>>>
>>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>>
>>> Is there any way through which I can verify whether my certificate
is
>>>
>> v3
>>> certificate having no extension or v1 certificate?
>>>
>>
>>
>> Cheers,
>> Donal
>>
>> -----Original Message-----
>> From: Mayank Mishra [mailto:mayank@pramati.com] Sent: 26 February
>> 2008 14:10
>> To: cxf-user@incubator.apache.org
>> Subject: Re: Usage of X509 certificates in WSS4J
>>
>> Arundel, Donal wrote:
>>
>>> Unless x.509v3 Certificates are present in your created certificate
>>> there
>>> is no requirement that the certificate version number is 3.
>>>
>>> If either the X.509 issuerUniqueID or subjectUniqueID fields are
>>>
>> present
>>
>>> the certificate must be at least version 2.
>>> However there is nothing actually stopping somebody creating a
>>> certificate with no x.509v3 extensions, and also no issuerUniqueID
or
>>> subjectUniqueID, ..and having a version of 3. A version of 1 would
>>> strictly be more correct though.
>>>
>> Yes, I agree with you.
>>
>>> I don't know offhand if Keytool gives you explicit control over the
>>>
>> version number or whether it just calculates the version from the
>>
>>> logical certificate request data when creating the certificate.
>>>
>> I generated public key certificates and private keys from keytool
>> only. According to [1], It generates v1 certificates and can
>> import/export v1,
>>
>> v2, and v3 certificates..
>> But I am suspecting it because when while printing out the
>> certificate, I get following along with SerialNumber, Certificate
>> fingerprints.
>>
>> Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, EMAILADDRESS=me@mycompany.com
>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, EMAILADDRESS=me@mycompany.com
>>
>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>
>> Is there any way through which I can verify whether my certificate is
v3
>>
>> certificate having no extension or v1 certificate?
>>
>>> Generally all CA certificates must have extensions indicating that
>>>
>> they
>>
>>> are CAs, so they should have a version number of 3.
>>> Application certs on the other hand may vary depending on their
>>>
>> content
>>
>>> and anticipated usage.
>>>
>>> Cheers,
>>> Donal
>>>
>>
>> With Regards,
>> Mayank
>>
>> [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>>
>>>
>>> -----Original Message-----
>>> From: Mayank Mishra [mailto:mayank@pramati.com] Sent: 26 February
>>> 2008 10:44
>>> To: cxf-user@incubator.apache.org
>>> Subject: Usage of X509 certificates in WSS4J
>>>
>>> G'day all,
>>>
>>> I am using WSS4J 1.5.1. I created X509 public keys and certificates
>>>
>> from
>>
>>> Sun Microsystems Keytool utility. AFAIK, it created X509v1
>>>
>> certificates.
>>
>>> Please let me know if it creates v3 certificates, which in my
>>> opinion doesn't do.
>>> Looking at the on the wire message sent from client to server or
>>> otherwise, I observe Token Reference, the value of the "Valuetype"
>>> attribute in the "KeyIdentifier" element is
>>>
>>>
>>>
>>
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
>>
>>> ile-1.0#X509v3"
>>>
>>> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates
>>>
>> were
>>> included in the spec, in X509 Certificate Token Profile 1.0, only
>>>
>> X509v3
>>
>>> certificates were there to be used.
>>>
>>> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0.
>>>
>> Please
>>> clarify me if I am wrong.
>>>
>>> Since, X509v3 certs have some more extension elements over X509v1.
>>> It should give some error, when passing X509v1 for cryptos creation.
>>> Or,
>>>
>> it
>>
>>> silently use X509v1, but then the valuetype should be "#x509v1"
>>>
>> instead
>>> of "#x509v3".
>>>
>>> There is a bit of confusion. Kindly clarify.
>>>
>>> With Regards,
>>> Mayank
>>>
>>> ----------------------------
>>> IONA Technologies PLC (registered in Ireland)
>>> Registered Number: 171387
>>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>>>
>> Ireland
>>
>>>
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>> Ireland
>>
>>
>
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: Usage of X509 certificates in WSS4J
Posted by Mayank Mishra <ma...@pramati.com>.
Mayank Mishra wrote:
> Arundel, Donal wrote:
>> Sure, assuming you mean from the command line then download the
>> excellent openssl utility from www.openssl.org.
>>
>> Then execute:
>>
>> "openssl x509 -in MyCertfile.pem -inform PEM -text"
>>
>> This will give a nice printout of the cert details, including a listing
>> of the x.509v3 extensions rpesent.
>> The above command line assume the cert is in PEM format (base 64
>> encoded),
>> DER format is also supported (The Java language specific jks file format
>> is not supported by openssl).
>>
>> (Aside: If you wanted to query certs programmatically then you could use
>> the JDKs x.509 interface which gives you access to the extensions, and
>> also to the version number of the certificate)
>>
>
> I debugged MerlinCrypto instance created by WSS4J and checked the
> version number in the sun.security.x509.X509CertInfo instance. It has
> Version: v1 as CertificateVersion value.
>> The Email address data you refer to below appears to be just part of the
>> distinguished name of both the Issuer and Subject.
>> This by itself is not evidence of an x.509v43 extension being present.
>>
>> There is at least one defined X.509v3 extension that can be used for
>> e-mail addresses (e.g. the emailAddress extension), but from the extract
>> you have posted its not clear if this is specified in your cert.
>> I suspect its unlikely base don what you have said so far.
>>
>> Anyway openssl will make this clear.
>>
>> If you are on Windows you could just download the pre built binaries
>> executable from http://www.openssl.org/related/binaries.html
>> I normally just build openssl myself, and haven't used that specific
>> link personally - but it is listed on the main openssl.org webpage so
>> hopefully should work.
>>
> Thanks Arundel for the link. I used the pre built binaries from the
> URL. I followed the following,
> 1. Exported the certificate to .CER format from the keytool -export
> command.
> 2. Converted CER format to PEM format using openssl command x509
> -inform der -in MYCERT.cer -out MYCERT.pem
> 3. Checked the version using openssl command x509 -in MYCERT.pem
> -inform PEM -text
>
> I saw following information along with Validity, Subject, Subject
> Public Key Info and Certificate:
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 1173183211 (0x45ed5aeb)
> Signature Algorithm: md5WithRSAEncryption
>
> I guess I can confirm seeing above that the certificates I am using
> are of version v1. Also, no extension information was there.
>
> Hence, in this case the certificates I am passing to WSS4J are x509v1,
> and the expected valueType must be #x509v1.
>
> In case I am right, WSS4J supports OASIS X.509 Certificate Token
> Profile 1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509
> Certificate Token Profile 1.1 [2] are following:
>
> 1. Inclusion of X.509 version 1 certificates (I dont' know the reason
> of going back).
> 2. Allowing only X.509 version 3 certificates to be used in Key
> Identifier reference.
>
> We can change the above and can support Token Profile 1.1.
>
> With Regards,
> Mayank
>
> [1].
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
>
> [2].
> http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf
>
or atleast we can check certificate version and can put right value as
"#x509v1" of 'ValueType' attribute in Key Identifier reference.
With Regards,
Mayank
>
>> I could probably mail you a statically built version for one of the most
>> popular Unix platforms if that's any use to you, and save you the hassle
>> of building it..
>>
>>
>>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity,
>>> ST=mystate, C=mycountry, EMAILADDRESS=me@mycompany.com
>>>
>>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>>
>>> Is there any way through which I can verify whether my certificate is
>>>
>> v3
>>> certificate having no extension or v1 certificate?
>>>
>>
>>
>> Cheers,
>> Donal
>>
>> -----Original Message-----
>> From: Mayank Mishra [mailto:mayank@pramati.com] Sent: 26 February
>> 2008 14:10
>> To: cxf-user@incubator.apache.org
>> Subject: Re: Usage of X509 certificates in WSS4J
>>
>> Arundel, Donal wrote:
>>
>>> Unless x.509v3 Certificates are present in your created certificate
>>> there
>>> is no requirement that the certificate version number is 3.
>>>
>>> If either the X.509 issuerUniqueID or subjectUniqueID fields are
>>>
>> present
>>
>>> the certificate must be at least version 2.
>>> However there is nothing actually stopping somebody creating a
>>> certificate with no x.509v3 extensions, and also no issuerUniqueID or
>>> subjectUniqueID, ..and having a version of 3. A version of 1 would
>>> strictly be more correct though.
>>>
>> Yes, I agree with you.
>>
>>> I don't know offhand if Keytool gives you explicit control over the
>>>
>> version number or whether it just calculates the version from the
>>
>>> logical certificate request data when creating the certificate.
>>>
>> I generated public key certificates and private keys from keytool
>> only. According to [1], It generates v1 certificates and can
>> import/export v1,
>>
>> v2, and v3 certificates..
>> But I am suspecting it because when while printing out the
>> certificate, I get following along with SerialNumber, Certificate
>> fingerprints.
>>
>> Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, EMAILADDRESS=me@mycompany.com
>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, EMAILADDRESS=me@mycompany.com
>>
>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>
>> Is there any way through which I can verify whether my certificate is v3
>>
>> certificate having no extension or v1 certificate?
>>
>>> Generally all CA certificates must have extensions indicating that
>>>
>> they
>>
>>> are CAs, so they should have a version number of 3.
>>> Application certs on the other hand may vary depending on their
>>>
>> content
>>
>>> and anticipated usage.
>>>
>>> Cheers,
>>> Donal
>>>
>>
>> With Regards,
>> Mayank
>>
>> [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>>
>>>
>>> -----Original Message-----
>>> From: Mayank Mishra [mailto:mayank@pramati.com] Sent: 26 February
>>> 2008 10:44
>>> To: cxf-user@incubator.apache.org
>>> Subject: Usage of X509 certificates in WSS4J
>>>
>>> G'day all,
>>>
>>> I am using WSS4J 1.5.1. I created X509 public keys and certificates
>>>
>> from
>>
>>> Sun Microsystems Keytool utility. AFAIK, it created X509v1
>>>
>> certificates.
>>
>>> Please let me know if it creates v3 certificates, which in my
>>> opinion doesn't do.
>>> Looking at the on the wire message sent from client to server or
>>> otherwise, I observe Token Reference, the value of the "Valuetype"
>>> attribute in the "KeyIdentifier" element is
>>>
>>>
>>>
>> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
>>
>>> ile-1.0#X509v3"
>>>
>>> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates
>>>
>> were
>>> included in the spec, in X509 Certificate Token Profile 1.0, only
>>>
>> X509v3
>>
>>> certificates were there to be used.
>>>
>>> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0.
>>>
>> Please
>>> clarify me if I am wrong.
>>>
>>> Since, X509v3 certs have some more extension elements over X509v1.
>>> It should give some error, when passing X509v1 for cryptos creation.
>>> Or,
>>>
>> it
>>
>>> silently use X509v1, but then the valuetype should be "#x509v1"
>>>
>> instead
>>> of "#x509v3".
>>>
>>> There is a bit of confusion. Kindly clarify.
>>>
>>> With Regards,
>>> Mayank
>>>
>>> ----------------------------
>>> IONA Technologies PLC (registered in Ireland)
>>> Registered Number: 171387
>>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>>>
>> Ireland
>>
>>>
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>> Ireland
>>
>>
>
Re: Usage of X509 certificates in WSS4J
Posted by Mayank Mishra <ma...@pramati.com>.
Arundel, Donal wrote:
> Sure, assuming you mean from the command line then download the
> excellent openssl utility from www.openssl.org.
>
> Then execute:
>
> "openssl x509 -in MyCertfile.pem -inform PEM -text"
>
> This will give a nice printout of the cert details, including a listing
> of the x.509v3 extensions rpesent.
> The above command line assume the cert is in PEM format (base 64
> encoded),
> DER format is also supported (The Java language specific jks file format
> is not supported by openssl).
>
> (Aside: If you wanted to query certs programmatically then you could use
> the JDKs x.509 interface which gives you access to the extensions, and
> also to the version number of the certificate)
>
I debugged MerlinCrypto instance created by WSS4J and checked the
version number in the sun.security.x509.X509CertInfo instance. It has
Version: v1 as CertificateVersion value.
> The Email address data you refer to below appears to be just part of the
> distinguished name of both the Issuer and Subject.
> This by itself is not evidence of an x.509v43 extension being present.
>
> There is at least one defined X.509v3 extension that can be used for
> e-mail addresses (e.g. the emailAddress extension), but from the extract
> you have posted its not clear if this is specified in your cert.
> I suspect its unlikely base don what you have said so far.
>
> Anyway openssl will make this clear.
>
> If you are on Windows you could just download the pre built binaries
> executable from
> http://www.openssl.org/related/binaries.html
> I normally just build openssl myself, and haven't used that specific
> link personally - but it is listed on the main openssl.org webpage so
> hopefully should work.
>
Thanks Arundel for the link. I used the pre built binaries from the URL.
I followed the following,
1. Exported the certificate to .CER format from the keytool -export command.
2. Converted CER format to PEM format using openssl command x509 -inform
der -in MYCERT.cer -out MYCERT.pem
3. Checked the version using openssl command x509 -in MYCERT.pem -inform
PEM -text
I saw following information along with Validity, Subject, Subject Public
Key Info and Certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1173183211 (0x45ed5aeb)
Signature Algorithm: md5WithRSAEncryption
I guess I can confirm seeing above that the certificates I am using are
of version v1. Also, no extension information was there.
Hence, in this case the certificates I am passing to WSS4J are x509v1,
and the expected valueType must be #x509v1.
In case I am right, WSS4J supports OASIS X.509 Certificate Token Profile
1.0 [1]. IMO, the only differences in 1.0 and OASIS X.509 Certificate
Token Profile 1.1 [2] are following:
1. Inclusion of X.509 version 1 certificates (I dont' know the reason of
going back).
2. Allowing only X.509 version 3 certificates to be used in Key
Identifier reference.
We can change the above and can support Token Profile 1.1.
With Regards,
Mayank
[1].
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
[2].
http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf
> I could probably mail you a statically built version for one of the most
> popular Unix platforms if that's any use to you, and save you the hassle
> of building it..
>
>
>> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>> C=mycountry, EMAILADDRESS=me@mycompany.com
>>
>> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>>
>> Is there any way through which I can verify whether my certificate is
>>
> v3
>
>> certificate having no extension or v1 certificate?
>>
>
>
> Cheers,
> Donal
>
> -----Original Message-----
> From: Mayank Mishra [mailto:mayank@pramati.com]
> Sent: 26 February 2008 14:10
> To: cxf-user@incubator.apache.org
> Subject: Re: Usage of X509 certificates in WSS4J
>
> Arundel, Donal wrote:
>
>> Unless x.509v3 Certificates are present in your created certificate
>> there
>> is no requirement that the certificate version number is 3.
>>
>> If either the X.509 issuerUniqueID or subjectUniqueID fields are
>>
> present
>
>> the certificate must be at least version 2.
>> However there is nothing actually stopping somebody creating a
>> certificate with no x.509v3 extensions, and also no issuerUniqueID or
>> subjectUniqueID, ..and having a version of 3. A version of 1 would
>> strictly be more correct though.
>>
>>
> Yes, I agree with you.
>
>> I don't know offhand if Keytool gives you explicit control over the
>>
> version number or whether it just calculates the version from the
>
>> logical certificate request data when creating the certificate.
>>
>>
> I generated public key certificates and private keys from keytool only.
> According to [1], It generates v1 certificates and can import/export v1,
>
> v2, and v3 certificates..
> But I am suspecting it because when while printing out the certificate,
> I get following along with SerialNumber, Certificate fingerprints.
>
> Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
> C=mycountry, EMAILADDRESS=me@mycompany.com
> Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
> C=mycountry, EMAILADDRESS=me@mycompany.com
>
> I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>
> Is there any way through which I can verify whether my certificate is v3
>
> certificate having no extension or v1 certificate?
>
>> Generally all CA certificates must have extensions indicating that
>>
> they
>
>> are CAs, so they should have a version number of 3.
>> Application certs on the other hand may vary depending on their
>>
> content
>
>> and anticipated usage.
>>
>> Cheers,
>> Donal
>>
>>
>
> With Regards,
> Mayank
>
> [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>
>>
>>
>> -----Original Message-----
>> From: Mayank Mishra [mailto:mayank@pramati.com]
>> Sent: 26 February 2008 10:44
>> To: cxf-user@incubator.apache.org
>> Subject: Usage of X509 certificates in WSS4J
>>
>> G'day all,
>>
>> I am using WSS4J 1.5.1. I created X509 public keys and certificates
>>
> from
>
>> Sun Microsystems Keytool utility. AFAIK, it created X509v1
>>
> certificates.
>
>> Please let me know if it creates v3 certificates, which in my opinion
>> doesn't do.
>> Looking at the on the wire message sent from client to server or
>> otherwise, I observe Token Reference, the value of the "Valuetype"
>> attribute in the "KeyIdentifier" element is
>>
>>
>>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
>
>> ile-1.0#X509v3"
>>
>> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates
>>
> were
>
>> included in the spec, in X509 Certificate Token Profile 1.0, only
>>
> X509v3
>
>> certificates were there to be used.
>>
>> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0.
>>
> Please
>
>> clarify me if I am wrong.
>>
>> Since, X509v3 certs have some more extension elements over X509v1. It
>> should give some error, when passing X509v1 for cryptos creation. Or,
>>
> it
>
>> silently use X509v1, but then the valuetype should be "#x509v1"
>>
> instead
>
>> of "#x509v3".
>>
>> There is a bit of confusion. Kindly clarify.
>>
>> With Regards,
>> Mayank
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>>
> Ireland
>
>>
>>
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
>
RE: Usage of X509 certificates in WSS4J
Posted by "Arundel, Donal" <do...@iona.com>.
Sure, assuming you mean from the command line then download the
excellent openssl utility from www.openssl.org.
Then execute:
"openssl x509 -in MyCertfile.pem -inform PEM -text"
This will give a nice printout of the cert details, including a listing
of the x.509v3 extensions rpesent.
The above command line assume the cert is in PEM format (base 64
encoded),
DER format is also supported (The Java language specific jks file format
is not supported by openssl).
(Aside: If you wanted to query certs programmatically then you could use
the JDKs x.509 interface which gives you access to the extensions, and
also to the version number of the certificate)
The Email address data you refer to below appears to be just part of the
distinguished name of both the Issuer and Subject.
This by itself is not evidence of an x.509v43 extension being present.
There is at least one defined X.509v3 extension that can be used for
e-mail addresses (e.g. the emailAddress extension), but from the extract
you have posted its not clear if this is specified in your cert.
I suspect its unlikely base don what you have said so far.
Anyway openssl will make this clear.
If you are on Windows you could just download the pre built binaries
executable from
http://www.openssl.org/related/binaries.html
I normally just build openssl myself, and haven't used that specific
link personally - but it is listed on the main openssl.org webpage so
hopefully should work.
I could probably mail you a statically built version for one of the most
popular Unix platforms if that's any use to you, and save you the hassle
of building it..
>Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
>C=mycountry, EMAILADDRESS=me@mycompany.com
>
>I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
>
>Is there any way through which I can verify whether my certificate is
v3
>certificate having no extension or v1 certificate?
Cheers,
Donal
-----Original Message-----
From: Mayank Mishra [mailto:mayank@pramati.com]
Sent: 26 February 2008 14:10
To: cxf-user@incubator.apache.org
Subject: Re: Usage of X509 certificates in WSS4J
Arundel, Donal wrote:
> Unless x.509v3 Certificates are present in your created certificate
> there
> is no requirement that the certificate version number is 3.
>
> If either the X.509 issuerUniqueID or subjectUniqueID fields are
present
> the certificate must be at least version 2.
> However there is nothing actually stopping somebody creating a
> certificate with no x.509v3 extensions, and also no issuerUniqueID or
> subjectUniqueID, ..and having a version of 3. A version of 1 would
> strictly be more correct though.
>
Yes, I agree with you.
> I don't know offhand if Keytool gives you explicit control over the
version number or whether it just calculates the version from the
> logical certificate request data when creating the certificate.
>
I generated public key certificates and private keys from keytool only.
According to [1], It generates v1 certificates and can import/export v1,
v2, and v3 certificates..
But I am suspecting it because when while printing out the certificate,
I get following along with SerialNumber, Certificate fingerprints.
Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
C=mycountry, EMAILADDRESS=me@mycompany.com
Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
C=mycountry, EMAILADDRESS=me@mycompany.com
I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
Is there any way through which I can verify whether my certificate is v3
certificate having no extension or v1 certificate?
> Generally all CA certificates must have extensions indicating that
they
> are CAs, so they should have a version number of 3.
> Application certs on the other hand may vary depending on their
content
> and anticipated usage.
>
> Cheers,
> Donal
>
With Regards,
Mayank
[1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>
>
> -----Original Message-----
> From: Mayank Mishra [mailto:mayank@pramati.com]
> Sent: 26 February 2008 10:44
> To: cxf-user@incubator.apache.org
> Subject: Usage of X509 certificates in WSS4J
>
> G'day all,
>
> I am using WSS4J 1.5.1. I created X509 public keys and certificates
from
>
> Sun Microsystems Keytool utility. AFAIK, it created X509v1
certificates.
>
> Please let me know if it creates v3 certificates, which in my opinion
> doesn't do.
> Looking at the on the wire message sent from client to server or
> otherwise, I observe Token Reference, the value of the "Valuetype"
> attribute in the "KeyIdentifier" element is
>
>
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
> ile-1.0#X509v3"
>
> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates
were
> included in the spec, in X509 Certificate Token Profile 1.0, only
X509v3
>
> certificates were there to be used.
>
> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0.
Please
> clarify me if I am wrong.
>
> Since, X509v3 certs have some more extension elements over X509v1. It
> should give some error, when passing X509v1 for cryptos creation. Or,
it
>
> silently use X509v1, but then the valuetype should be "#x509v1"
instead
> of "#x509v3".
>
> There is a bit of confusion. Kindly clarify.
>
> With Regards,
> Mayank
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
>
>
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: Usage of X509 certificates in WSS4J
Posted by Mayank Mishra <ma...@pramati.com>.
Arundel, Donal wrote:
> Unless x.509v3 Certificates are present in your created certificate
> there
> is no requirement that the certificate version number is 3.
>
> If either the X.509 issuerUniqueID or subjectUniqueID fields are present
> the certificate must be at least version 2.
> However there is nothing actually stopping somebody creating a
> certificate with no x.509v3 extensions, and also no issuerUniqueID or
> subjectUniqueID, ..and having a version of 3. A version of 1 would
> strictly be more correct though.
>
Yes, I agree with you.
> I don't know offhand if Keytool gives you explicit control over the version number or whether it just calculates the version from the
> logical certificate request data when creating the certificate.
>
I generated public key certificates and private keys from keytool only.
According to [1], It generates v1 certificates and can import/export v1,
v2, and v3 certificates..
But I am suspecting it because when while printing out the certificate,
I get following along with SerialNumber, Certificate fingerprints.
Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
C=mycountry, EMAILADDRESS=me@mycompany.com
Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
C=mycountry, EMAILADDRESS=me@mycompany.com
I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
Is there any way through which I can verify whether my certificate is v3
certificate having no extension or v1 certificate?
> Generally all CA certificates must have extensions indicating that they
> are CAs, so they should have a version number of 3.
> Application certs on the other hand may vary depending on their content
> and anticipated usage.
>
> Cheers,
> Donal
>
With Regards,
Mayank
[1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
>
>
> -----Original Message-----
> From: Mayank Mishra [mailto:mayank@pramati.com]
> Sent: 26 February 2008 10:44
> To: cxf-user@incubator.apache.org
> Subject: Usage of X509 certificates in WSS4J
>
> G'day all,
>
> I am using WSS4J 1.5.1. I created X509 public keys and certificates from
>
> Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates.
>
> Please let me know if it creates v3 certificates, which in my opinion
> doesn't do.
> Looking at the on the wire message sent from client to server or
> otherwise, I observe Token Reference, the value of the "Valuetype"
> attribute in the "KeyIdentifier" element is
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
> ile-1.0#X509v3"
>
> AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were
> included in the spec, in X509 Certificate Token Profile 1.0, only X509v3
>
> certificates were there to be used.
>
> Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please
> clarify me if I am wrong.
>
> Since, X509v3 certs have some more extension elements over X509v1. It
> should give some error, when passing X509v1 for cryptos creation. Or, it
>
> silently use X509v1, but then the valuetype should be "#x509v1" instead
> of "#x509v3".
>
> There is a bit of confusion. Kindly clarify.
>
> With Regards,
> Mayank
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
>
RE: Usage of X509 certificates in WSS4J
Posted by "Arundel, Donal" <do...@iona.com>.
Unless x.509v3 Certificates are present in your created certificate
there
is no requirement that the certificate version number is 3.
If either the X.509 issuerUniqueID or subjectUniqueID fields are present
the certificate must be at least version 2.
However there is nothing actually stopping somebody creating a
certificate with no x.509v3 extensions, and also no issuerUniqueID or
subjectUniqueID, ..and having a version of 3. A version of 1 would
strictly be more correct though.
I don't know offhand if Keytool gives you explicit control over the
version number or whether it just calculates the version from the
logical certificate request data when creating the certificate.
Generally all CA certificates must have extensions indicating that they
are CAs, so they should have a version number of 3.
Application certs on the other hand may vary depending on their content
and anticipated usage.
Cheers,
Donal
-----Original Message-----
From: Mayank Mishra [mailto:mayank@pramati.com]
Sent: 26 February 2008 10:44
To: cxf-user@incubator.apache.org
Subject: Usage of X509 certificates in WSS4J
G'day all,
I am using WSS4J 1.5.1. I created X509 public keys and certificates from
Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates.
Please let me know if it creates v3 certificates, which in my opinion
doesn't do.
Looking at the on the wire message sent from client to server or
otherwise, I observe Token Reference, the value of the "Valuetype"
attribute in the "KeyIdentifier" element is
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
ile-1.0#X509v3"
AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were
included in the spec, in X509 Certificate Token Profile 1.0, only X509v3
certificates were there to be used.
Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please
clarify me if I am wrong.
Since, X509v3 certs have some more extension elements over X509v1. It
should give some error, when passing X509v1 for cryptos creation. Or, it
silently use X509v1, but then the valuetype should be "#x509v1" instead
of "#x509v3".
There is a bit of confusion. Kindly clarify.
With Regards,
Mayank
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland