Paul, my assumptions are: you use the Subject Key Identifier (SKI) to identify the certificate and you vendor uses .Net WSE?
Its a known problem that WSE uses the SKI or requires the client to use it bit the certificates do not contain the SKI (this is the extension value). Just recently we added an extension to comupte the SKI for a certificate on the fly - pls have a look and download the version 1.0.0 that includes this extension. Caveat: we have not yet a positive confirmation that this extensions works together with .Net - the algorithm we use to compute the SKI may differ from the algo .Net WSE uses. We use an alog specified in the RFC (RFC3280?). Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Paul Grillo [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 11. August 2005 23:39 > An: [email protected]; [email protected] > Betreff: Public Certificate Access using Extension ID 2.5.29.14 > > > I am using Axis and WSS4J for security. I am having problems > communicating with my vendor when using his public certificate for > encrypting. I am able to do the encryption but am not able > to send the > KeyIdentifier along, which is what he expects > > In org.apache.ws.security.components.crypto > > the following is an excerpt when calling to get the SKIBytes, the > identifier. > > the line: byte[] derEncodedValue = > cert.getExtensionValue(SKI_OID); > returns a null and I get a null pointer later. Bottom line is that > there is no extension value of type "2.5.29.14" in the certificate. Is > there any other way to get the ID? I don't believe that this > extension > is required in > this extension, but I need to pass along the key identifier. > Presumable > it exists, in the certificate. Or is that a bad assumption. > > I'm sort of stuck ... thanks for any help. > > > > /** > * Reads the SubjectKeyIdentifier information from the > certificate. > * <p/> > * If the the certificate does not contain a SKI extension then > * try to compute the SKI according to RFC3280 using the > * SHA-1 hash value of the public key. The second method described > * in RFC3280 is not support. Also only RSA public keys are > supported. > * If we cannot compute the SKI throw a WSSecurityException. > * > * @param cert The certificate to read SKI > * @return The byte array conating the binary SKI data > */ > public byte[] getSKIBytesFromCert(X509Certificate cert) > throws WSSecurityException { > /* > * Gets the DER-encoded OCTET string for the extension > value (extnValue) > * identified by the passed-in oid String. The oid > string is represented > * by a set of positive whole numbers separated by > periods. > */ > byte[] derEncodedValue = > cert.getExtensionValue(SKI_OID); > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
