Heiner, I've added a temporary fix to using BouncyCastle's classes if sun.security.util.DerValue. Am adding the "temporary" qualifier because Sean has promised a better fix :)
-- dims On Mon, 12 Jul 2004 17:11:16 -0400, Sean Mullan <[EMAIL PROTECTED]> wrote: > Just back today after JavaOne and vacation but swamped in email, etc... I > should be able to look at this later in the week. > > --Sean > > > > Davanum Srinivas wrote: > > Sean, > > > > Are u guys back from vacation yet? :) > > > > -- dims > > > > On Fri, 25 Jun 2004 09:35:57 -0400, Sean Mullan <[EMAIL PROTECTED]> wrote: > > > >>I'd say it wouldn't be too hard to remove the dependency on the DerValue > >>class completely. Basically, you want to extract the KeyIdentifier Octet > >>String from the DER-encoded extension value and then strip off the octet tag. > >> > >>If I have some time later, I'll send a snippet of code. > >> > >>--Sean > >> > >> > >> > >>Davanum Srinivas wrote: > >> > >>>would you be able to compile a fresh version of xml-security from our > >>>cvs? if so, try replacing sun's DerValue with > >>>com.ibm.security.util.DerValue and see if that works, if it does, i am > >>>willing to patch the code using java reflection api to switch between > >>>the two. > >>> > >>>thanks, > >>>-- dims > >>> > >>>On Fri, 25 Jun 2004 14:43:56 +0200, Heiner Westphal > >>><[EMAIL PROTECTED]> wrote: > >>> > >>> > >>>>I digged some more... > >>>> > >>>>It seems sun's DerValue class is only used, if > >>>>the xml signature keyinfo contains an <X509SKI> element > >>>>(signatures without work). > >>>> > >>>>This is what I get. I'm not sure if this is a legal keyinfo. > >>>>If the combination of issuer/serial and ski is not ok, I can > >>>>move the problem ownership to the sender :) > >>>> > >>>><KeyInfo> > >>>> <X509Data> > >>>> <X509IssuerSerial> > >>>> <X509IssuerName> > >>>> C=DE,O=Secret GmbH, OU=development,CN=TestSecret > >>>> </X509IssuerName> > >>>> <X509SerialNumber>7711026923132787338</X509SerialNumber> > >>>> </X509IssuerSerial> > >>>> <X509SKI>aTTp+EejjS30eFH+UObfuscaTeME=</X509SKI> > >>>> </X509Data> > >>>></KeyInfo> > >>>> > >>>>Regards, > >>>> > >>>>Heiner > >>>> > >>>> > >>>> > >>>>Heiner Westphal wrote: > >>>> > >>>> > >>>> > >>>>>Hello! > >>>>> > >>>>>Im using xml-security java 1.1.0 on an AIX with > >>>>>IBM SDK 1.4.1. > >>>>> > >>>>>In org.apache.xml.security.keys.content.x509.XMLX509SKI > >>>>>an object of class sun.security.util.DerValue is used, which > >>>>>should not be according to > >>>>>http://java.sun.com/products/jdk/faq/faq-sun-packages.html > >>>>> > >>>>>When I'm trying to read a specific certificate I get: > >>>>>Exception in thread "main" java.lang.NoClassDefFoundError: > >>>>>sun/security/util/DerValue. > >>>>>This does not happen, if I use a selfsigned cert created with > >>>>>keytool and keyalg=DSA. > >>>>> > >>>>>If anyone knows a quick workaround, please tell me. > >>>>> > >>>>>P.S.: The calling code is attached, trace below. > >>>>>trace is (sorry, no line numbers, > >>>>>... means org.apache.xml.security.): > >>>>> > >>>>>Exception in thread "main" java.lang.NoClassDefFoundError: > >>>>>sun/security/util/DerValue > >>>>>at ...keys.content.x509.XMLX509SKI.getSKIBytesFromCert(Unknown Source) > >>>>>at ...keys.content.x509.XMLX509SKI.<init>(Unknown Source) > >>>>>at ...keys.keyresolver.implementations.X509SKIResolver. > >>>>> engineResolveX509Certificate(Unknown Source) > >>>>>at ...keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown Source) > >>>>>at ...keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown Source) > >>>>>at ...keys.KeyInfo.getX509Certificate(Unknown Source) > >>>>>- HERE starts my custom code, see attachement - > >>>>> > >>>>> > >>>>>------------------------------------------------------------------------ > >>>>> > >>>>> /** > >>>>> * Get a certificate that matches the given keyinfo. > >>>>> * @param keyInfo Keyinfo to check against. > >>>>> * @return certificate that matches the keyinfo. > >>>>> * @throws MyErrorException If no certificate was found just > >>>>> * because there was no matching, or because > >>>>> * the keystore was broken. > >>>>> */ > >>>>> private X509Certificate getCertificate(final KeyInfo keyInfo) > >>>>> throws MyErrorException { > >>>>> if (keyInfo != null) { > >>>>> if (keyInfo.containsX509Data()) { > >>>>> X509Certificate cert; > >>>>> try { > >>>>> StorageResolver storageResolver = > >>>>> new StorageResolver(new KeyStoreResolver(keyStore)); > >>>>> keyInfo.addStorageResolver(storageResolver); > >>>>> cert = keyInfo.getX509Certificate(); // HERE! > >>>>> } catch (StorageResolverException e) { > >>>>> throw new MyErrorException(e); > >>>>> } catch (KeyResolverException e) { > >>>>> throw new MyErrorException(e); > >>>>> } > >>>>> return cert; > >>>>> } else { > >>>>> throw new MyErrorException( > >>>>> "Message contains no KeyInfo. " + "Cannot check dsig."); > >>>>> } > >>>>> } else { > >>>>> throw new MyErrorException( > >>>>> "Message contains no X509Data. " + "Cannot check dsig."); > >>>>> } > >>>>> } > >>>> > >>>> > >>> > >> > > > > > > -- Davanum Srinivas - http://webservices.apache.org/~dims/
