would you be able to compile a fresh version of xml-security from our
cvs? if so, try replacing sun's DerValue with
com.ibm.security.util.DerValue and see if that works, if it does, i am
willing to patch the code using java reflection api to switch between
the two.

thanks,
-- dims

On Fri, 25 Jun 2004 14:43:56 +0200, Heiner Westphal
<[EMAIL PROTECTED]> wrote:
> 
> I digged some more...
> 
> It seems sun's DerValue class is only used, if
> the xml signature keyinfo contains an <X509SKI> element
> (signatures without work).
> 
> This is what I get. I'm not sure if this is a legal keyinfo.
> If the combination of issuer/serial and ski is not ok, I can
> move the problem ownership to the sender :)
> 
> <KeyInfo>
>    <X509Data>
>      <X509IssuerSerial>
>        <X509IssuerName>
>          C=DE,O=Secret GmbH, OU=development,CN=TestSecret
>        </X509IssuerName>
>        <X509SerialNumber>7711026923132787338</X509SerialNumber>
>      </X509IssuerSerial>
>      <X509SKI>aTTp+EejjS30eFH+UObfuscaTeME=</X509SKI>
>    </X509Data>
> </KeyInfo>
> 
> Regards,
> 
> Heiner
> 
> 
> 
> Heiner Westphal wrote:
> 
> > Hello!
> >
> > Im using xml-security java 1.1.0 on an AIX with
> > IBM SDK 1.4.1.
> >
> > In org.apache.xml.security.keys.content.x509.XMLX509SKI
> > an object of class sun.security.util.DerValue is used, which
> > should not be according to
> > http://java.sun.com/products/jdk/faq/faq-sun-packages.html
> >
> > When I'm trying to read a specific certificate I get:
> > Exception in thread "main" java.lang.NoClassDefFoundError:
> > sun/security/util/DerValue.
> > This does not happen, if I use a selfsigned cert created with
> > keytool and keyalg=DSA.
> >
> > If anyone knows a quick workaround, please tell me.
> >
> > P.S.: The calling code is attached, trace below.
> > trace is (sorry, no line numbers,
> > ... means org.apache.xml.security.):
> >
> > Exception in thread "main" java.lang.NoClassDefFoundError:
> > sun/security/util/DerValue
> >  at ...keys.content.x509.XMLX509SKI.getSKIBytesFromCert(Unknown Source)
> >  at ...keys.content.x509.XMLX509SKI.<init>(Unknown Source)
> >  at ...keys.keyresolver.implementations.X509SKIResolver.
> >                          engineResolveX509Certificate(Unknown Source)
> >  at ...keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown Source)
> >  at ...keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown Source)
> >  at ...keys.KeyInfo.getX509Certificate(Unknown Source)
> > - HERE starts my custom code, see attachement -
> >
> > 
> > ------------------------------------------------------------------------
> >
> >     /**
> >      * Get a certificate that matches the given keyinfo.
> >      * @param keyInfo Keyinfo to check against.
> >      * @return certificate that matches the keyinfo.
> >      * @throws MyErrorException If no certificate was found just
> >      *                          because there was no matching, or because
> >      *                          the keystore was broken.
> >      */
> >     private X509Certificate getCertificate(final KeyInfo keyInfo)
> >         throws MyErrorException {
> >         if (keyInfo != null) {
> >             if (keyInfo.containsX509Data()) {
> >                 X509Certificate cert;
> >                 try {
> >                     StorageResolver storageResolver =
> >                         new StorageResolver(new KeyStoreResolver(keyStore));
> >                     keyInfo.addStorageResolver(storageResolver);
> >                     cert = keyInfo.getX509Certificate();  // HERE!
> >                 } catch (StorageResolverException e) {
> >                     throw new MyErrorException(e);
> >                 } catch (KeyResolverException e) {
> >                     throw new MyErrorException(e);
> >                 }
> >                 return cert;
> >             } else {
> >                 throw new MyErrorException(
> >                     "Message contains no KeyInfo. " + "Cannot check dsig.");
> >             }
> >         } else {
> >             throw new MyErrorException(
> >                 "Message contains no X509Data. " + "Cannot check dsig.");
> >         }
> >     }
> 
> 


-- 
Davanum Srinivas - http://webservices.apache.org/~dims/

Reply via email to