I'd say it wouldn't be too hard to remove the dependency on the DerValue class completely. Basically, you want to extract the KeyIdentifier Octet String from the DER-encoded extension value and then strip off the octet tag.
If I have some time later, I'll send a snippet of code.
--Sean
Davanum Srinivas wrote:
would you be able to compile a fresh version of xml-security from our cvs? if so, try replacing sun's DerValue with com.ibm.security.util.DerValue and see if that works, if it does, i am willing to patch the code using java reflection api to switch between the two.
thanks, -- dims
On Fri, 25 Jun 2004 14:43:56 +0200, Heiner Westphal <[EMAIL PROTECTED]> wrote:
I digged some more...
It seems sun's DerValue class is only used, if the xml signature keyinfo contains an <X509SKI> element (signatures without work).
This is what I get. I'm not sure if this is a legal keyinfo. If the combination of issuer/serial and ski is not ok, I can move the problem ownership to the sender :)
<KeyInfo> <X509Data> <X509IssuerSerial> <X509IssuerName> C=DE,O=Secret GmbH, OU=development,CN=TestSecret </X509IssuerName> <X509SerialNumber>7711026923132787338</X509SerialNumber> </X509IssuerSerial> <X509SKI>aTTp+EejjS30eFH+UObfuscaTeME=</X509SKI> </X509Data> </KeyInfo>
Regards,
Heiner
Heiner Westphal wrote:
Hello!
Im using xml-security java 1.1.0 on an AIX with IBM SDK 1.4.1.
In org.apache.xml.security.keys.content.x509.XMLX509SKI an object of class sun.security.util.DerValue is used, which should not be according to http://java.sun.com/products/jdk/faq/faq-sun-packages.html
When I'm trying to read a specific certificate I get: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/util/DerValue. This does not happen, if I use a selfsigned cert created with keytool and keyalg=DSA.
If anyone knows a quick workaround, please tell me.
P.S.: The calling code is attached, trace below. trace is (sorry, no line numbers, ... means org.apache.xml.security.):
Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/util/DerValue at ...keys.content.x509.XMLX509SKI.getSKIBytesFromCert(Unknown Source) at ...keys.content.x509.XMLX509SKI.<init>(Unknown Source) at ...keys.keyresolver.implementations.X509SKIResolver. engineResolveX509Certificate(Unknown Source) at ...keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown Source) at ...keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown Source) at ...keys.KeyInfo.getX509Certificate(Unknown Source) - HERE starts my custom code, see attachement -
------------------------------------------------------------------------
/** * Get a certificate that matches the given keyinfo. * @param keyInfo Keyinfo to check against. * @return certificate that matches the keyinfo. * @throws MyErrorException If no certificate was found just * because there was no matching, or because * the keystore was broken. */ private X509Certificate getCertificate(final KeyInfo keyInfo) throws MyErrorException { if (keyInfo != null) { if (keyInfo.containsX509Data()) { X509Certificate cert; try { StorageResolver storageResolver = new StorageResolver(new KeyStoreResolver(keyStore)); keyInfo.addStorageResolver(storageResolver); cert = keyInfo.getX509Certificate(); // HERE! } catch (StorageResolverException e) { throw new MyErrorException(e); } catch (KeyResolverException e) { throw new MyErrorException(e); } return cert; } else { throw new MyErrorException( "Message contains no KeyInfo. " + "Cannot check dsig."); } } else { throw new MyErrorException( "Message contains no X509Data. " + "Cannot check dsig."); } }
