I digged some more...
It seems sun's DerValue class is only used, if
the xml signature keyinfo contains an <X509SKI> element
(signatures without work).
This is what I get. I'm not sure if this is a legal keyinfo.
If the combination of issuer/serial and ski is not ok, I can
move the problem ownership to the sender :)
<KeyInfo>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
C=DE,O=Secret GmbH, OU=development,CN=TestSecret
</X509IssuerName>
<X509SerialNumber>7711026923132787338</X509SerialNumber>
</X509IssuerSerial>
<X509SKI>aTTp+EejjS30eFH+UObfuscaTeME=</X509SKI>
</X509Data>
</KeyInfo>
Regards,
Heiner
Heiner Westphal wrote:
Hello!
Im using xml-security java 1.1.0 on an AIX with
IBM SDK 1.4.1.
In org.apache.xml.security.keys.content.x509.XMLX509SKI
an object of class sun.security.util.DerValue is used, which
should not be according to
http://java.sun.com/products/jdk/faq/faq-sun-packages.html
When I'm trying to read a specific certificate I get:
Exception in thread "main" java.lang.NoClassDefFoundError:
sun/security/util/DerValue.
This does not happen, if I use a selfsigned cert created with
keytool and keyalg=DSA.
If anyone knows a quick workaround, please tell me.
P.S.: The calling code is attached, trace below.
trace is (sorry, no line numbers,
... means org.apache.xml.security.):
Exception in thread "main" java.lang.NoClassDefFoundError:
sun/security/util/DerValue
at ...keys.content.x509.XMLX509SKI.getSKIBytesFromCert(Unknown Source)
at ...keys.content.x509.XMLX509SKI.<init>(Unknown Source)
at ...keys.keyresolver.implementations.X509SKIResolver.
engineResolveX509Certificate(Unknown Source)
at ...keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown Source)
at ...keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown Source)
at ...keys.KeyInfo.getX509Certificate(Unknown Source)
- HERE starts my custom code, see attachement -
------------------------------------------------------------------------
/**
* Get a certificate that matches the given keyinfo.
* @param keyInfo Keyinfo to check against.
* @return certificate that matches the keyinfo.
* @throws MyErrorException If no certificate was found just
* because there was no matching, or because
* the keystore was broken.
*/
private X509Certificate getCertificate(final KeyInfo keyInfo)
throws MyErrorException {
if (keyInfo != null) {
if (keyInfo.containsX509Data()) {
X509Certificate cert;
try {
StorageResolver storageResolver =
new StorageResolver(new KeyStoreResolver(keyStore));
keyInfo.addStorageResolver(storageResolver);
cert = keyInfo.getX509Certificate(); // HERE!
} catch (StorageResolverException e) {
throw new MyErrorException(e);
} catch (KeyResolverException e) {
throw new MyErrorException(e);
}
return cert;
} else {
throw new MyErrorException(
"Message contains no KeyInfo. " + "Cannot check dsig.");
}
} else {
throw new MyErrorException(
"Message contains no X509Data. " + "Cannot check dsig.");
}
}
