Werner,
Thank you for the response, I'm getting back a bit late because I wanted to
solve all of the remaining issues with security interoperability with .NET.
Anyway, I believe I am using the code you had mentioned. I compared it with
the latest in CVS, etc. The method in question, is below. The problem I still
get (don't know if it is my cert, it is the one I got from my Vendor (.NET)
shop, is that derEncodedValue comes back null (no SKI_OID). However, the
version comes back a "3", so the code to calculate the Identity is not
executed, and I get a null pointer exception
on line
byte abyte0[] = new byte[derEncodedValue.length - 4];
I modified the if statement to look like:
if (cert.getVersion() < 3 || derEncodedValue==null) {
and it passed through, the algorithm worked great and my system is happy.
I can now say that it works with my .NET customer, since I've just completed a
round trip using signature, timestamp, and encryption.
Not sure if it makes sense to make that change. My sense is that it doesn't
hurt since a null pointer exception will happen a few lines below so why not
give it a shot.
So I'm using an edited version of the final 1.0 release but would sure like to
be able to use the same version as everybody else.
thanks for your help.
-paul
/**
* Reads the SubjectKeyIdentifier information from the certificate.
* <p/>
* If the the certificate does not contain a SKI extension then
* try to compute the SKI according to RFC3280 using the
* SHA-1 hash value of the public key. The second method described
* in RFC3280 is not support. Also only RSA public keys are supported.
* If we cannot compute the SKI throw a WSSecurityException.
*
* @param cert The certificate to read SKI
* @return The byte array conating the binary SKI data
*/
public byte[] getSKIBytesFromCert(X509Certificate cert)
throws WSSecurityException {
/*
* Gets the DER-encoded OCTET string for the extension value
(extnValue)
* identified by the passed-in oid String. The oid string is
represented
* by a set of positive whole numbers separated by periods.
*/
byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
if (cert.getVersion() < 3) {
PublicKey key = cert.getPublicKey();
if (!(key instanceof RSAPublicKey)) {
throw new WSSecurityException(
1,
"noSKIHandling",
new Object[] { "Support for RSA
key only" });
}
byte[] encoded = key.getEncoded();
// remove 22-byte algorithm ID and header
byte[] value = new byte[encoded.length - 22];
System.arraycopy(encoded, 22, value, 0, value.length);
MessageDigest sha;
try {
sha = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException ex) {
throw new WSSecurityException(
1,
"noSKIHandling",
new Object[] { "Wrong
certificate version (<3) and no SHA1 message digest availabe" });
}
sha.reset();
sha.update(value);
return sha.digest();
}
/**
* Strip away first four bytes from the DerValue (tag and
length of
* ExtensionValue OCTET STRING and KeyIdentifier OCTET STRING)
*/
byte abyte0[] = new byte[derEncodedValue.length - 4];
System.arraycopy(derEncodedValue, 4, abyte0, 0, abyte0.length);
return abyte0;
}
-----Original Message-----
From: Dittmann, Werner [mailto:[EMAIL PROTECTED]
Sent: Friday, August 12, 2005 2:08 AM
To: Paul Grillo; [email protected]; [email protected]
Subject: AW: Public Certificate Access using Extension ID 2.5.29.14
Paul,
my assumptions are: you use the Subject Key Identifier (SKI)
to identify the certificate and you vendor uses .Net WSE?
Its a known problem that WSE uses the SKI or requires the
client to use it bit the certificates do not contain the
SKI (this is the extension value). Just recently we added
an extension to comupte the SKI for a certificate on the
fly - pls have a look and download the version 1.0.0 that
includes this extension.
Caveat: we have not yet a positive confirmation that this
extensions works together with .Net - the algorithm we use
to compute the SKI may differ from the algo .Net WSE uses.
We use an alog specified in the RFC (RFC3280?).
Regards,
Werner
> -----Ursprüngliche Nachricht-----
> Von: Paul Grillo [mailto:[EMAIL PROTECTED]
> Gesendet: Donnerstag, 11. August 2005 23:39
> An: [email protected]; [email protected]
> Betreff: Public Certificate Access using Extension ID 2.5.29.14
>
>
> I am using Axis and WSS4J for security. I am having problems
> communicating with my vendor when using his public certificate for
> encrypting. I am able to do the encryption but am not able
> to send the
> KeyIdentifier along, which is what he expects
>
> In org.apache.ws.security.components.crypto
>
> the following is an excerpt when calling to get the SKIBytes, the
> identifier.
>
> the line: byte[] derEncodedValue =
> cert.getExtensionValue(SKI_OID);
> returns a null and I get a null pointer later. Bottom line is that
> there is no extension value of type "2.5.29.14" in the certificate. Is
> there any other way to get the ID? I don't believe that this
> extension
> is required in
> this extension, but I need to pass along the key identifier.
> Presumable
> it exists, in the certificate. Or is that a bad assumption.
>
> I'm sort of stuck ... thanks for any help.
>
>
>
> /**
> * Reads the SubjectKeyIdentifier information from the
> certificate.
> * <p/>
> * If the the certificate does not contain a SKI extension then
> * try to compute the SKI according to RFC3280 using the
> * SHA-1 hash value of the public key. The second method described
> * in RFC3280 is not support. Also only RSA public keys are
> supported.
> * If we cannot compute the SKI throw a WSSecurityException.
> *
> * @param cert The certificate to read SKI
> * @return The byte array conating the binary SKI data
> */
> public byte[] getSKIBytesFromCert(X509Certificate cert)
> throws WSSecurityException {
> /*
> * Gets the DER-encoded OCTET string for the extension
> value (extnValue)
> * identified by the passed-in oid String. The oid
> string is represented
> * by a set of positive whole numbers separated by
> periods.
> */
> byte[] derEncodedValue =
> cert.getExtensionValue(SKI_OID);
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
