You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Thilo Frotscher <th...@web.de> on 2005/07/28 18:04:16 UTC
[WSS4J] NullPointerException in Merlin / .NET Interop issues
Hi all,
we have an interoperablity issue between WSS4J and WSE. And we believe to have found a bug in WSS4J. Please have a look at it and give some advice.
Scenario: We want to send an encrypted and signed message from WSE to WSS4J. I created a key pair with keytool on Java SE 5.0 and exported a certificate from my keystore (JCEKS). This certificate was successfully imported on the .NET side. The SOAP message that WSE sends to WSS4J looks ok.
However, WSE uses a <SecurityTokenReference> with a <KeyIdentifier> element. When this <SecurityTokenReference> is processed by WSS4J a NullPointerException is thrown in Class Merlin, method getSKIBytesFromCert(X509Certificate cert)
Reason for the exception: look at this code from getSKIBytesFromCert...
byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
if (cert.getVersion() < 3) {...}
byte abyte0[] = new byte[derEncodedValue.length - 4];
The return value of cert.getExtensionValue(SKI_OID) is null in our case. Thus, the third line fails. As stated in Sun's API documentation, null return values can happen.
http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
1) This should be enhanced so that NullPointerExceptions can't happen anymore.
2) What does it mean that null is returned? Does this mean that the certificate doesn't have an extension?
3) Would it be still a valid certificate or is it invalid without the extension?
4) How can we resolve this issue? Do the certificates created by keytool/Java5.0 have interop issues?
5) (maybe off-topic): does anybody know how .NET can be configured to send a <SecurityTokenReference> with <X509IssuerSerial> instead of <KeyIdentifier>?
Thank you very much,
Thilo
_________________________________________________________________________
Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179