Paul,
Could you please open a JIRA issue, so that we can fix it in CVS for
the next release.
thanks,
dims
On 8/13/05, Paul Grillo <[EMAIL PROTECTED]> wrote:
> Werner,
>
> Thank you for the response, I'm getting back a bit late because I wanted to
> solve all of the remaining issues with security interoperability with .NET.
>
> Anyway, I believe I am using the code you had mentioned. I compared it with
> the latest in CVS, etc. The method in question, is below. The problem I
> still get (don't know if it is my cert, it is the one I got from my Vendor
> (.NET) shop, is that derEncodedValue comes back null (no SKI_OID). However,
> the version comes back a "3", so the code to calculate the Identity is not
> executed, and I get a null pointer exception
> on line
> byte abyte0[] = new byte[derEncodedValue.length - 4];
>
> I modified the if statement to look like:
> if (cert.getVersion() < 3 || derEncodedValue==null) {
>
> and it passed through, the algorithm worked great and my system is happy.
>
> I can now say that it works with my .NET customer, since I've just completed
> a round trip using signature, timestamp, and encryption.
>
> Not sure if it makes sense to make that change. My sense is that it doesn't
> hurt since a null pointer exception will happen a few lines below so why not
> give it a shot.
>
> So I'm using an edited version of the final 1.0 release but would sure like
> to be able to use the same version as everybody else.
>
> thanks for your help.
>
> -paul
>
> /**
> * Reads the SubjectKeyIdentifier information from the certificate.
> * <p/>
> * If the the certificate does not contain a SKI extension then
> * try to compute the SKI according to RFC3280 using the
> * SHA-1 hash value of the public key. The second method described
> * in RFC3280 is not support. Also only RSA public keys are supported.
> * If we cannot compute the SKI throw a WSSecurityException.
> *
> * @param cert The certificate to read SKI
> * @return The byte array conating the binary SKI data
> */
> public byte[] getSKIBytesFromCert(X509Certificate cert)
> throws WSSecurityException {
> /*
> * Gets the DER-encoded OCTET string for the extension value
> (extnValue)
> * identified by the passed-in oid String. The oid string is
> represented
> * by a set of positive whole numbers separated by periods.
> */
> byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
>
> if (cert.getVersion() < 3) {
> PublicKey key = cert.getPublicKey();
> if (!(key instanceof RSAPublicKey)) {
> throw new WSSecurityException(
> 1,
> "noSKIHandling",
> new Object[] { "Support for
> RSA key only" });
> }
> byte[] encoded = key.getEncoded();
> // remove 22-byte algorithm ID and header
> byte[] value = new byte[encoded.length - 22];
> System.arraycopy(encoded, 22, value, 0, value.length);
> MessageDigest sha;
> try {
> sha = MessageDigest.getInstance("SHA-1");
> } catch (NoSuchAlgorithmException ex) {
> throw new WSSecurityException(
> 1,
> "noSKIHandling",
> new Object[] { "Wrong
> certificate version (<3) and no SHA1 message digest availabe" });
> }
> sha.reset();
> sha.update(value);
> return sha.digest();
> }
>
> /**
> * Strip away first four bytes from the DerValue (tag and
> length of
> * ExtensionValue OCTET STRING and KeyIdentifier OCTET STRING)
> */
> byte abyte0[] = new byte[derEncodedValue.length - 4];
>
> System.arraycopy(derEncodedValue, 4, abyte0, 0,
> abyte0.length);
> return abyte0;
> }
>
>
>
>
> -----Original Message-----
> From: Dittmann, Werner [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 12, 2005 2:08 AM
> To: Paul Grillo; [email protected]; [email protected]
> Subject: AW: Public Certificate Access using Extension ID 2.5.29.14
>
> Paul,
> my assumptions are: you use the Subject Key Identifier (SKI)
> to identify the certificate and you vendor uses .Net WSE?
>
> Its a known problem that WSE uses the SKI or requires the
> client to use it bit the certificates do not contain the
> SKI (this is the extension value). Just recently we added
> an extension to comupte the SKI for a certificate on the
> fly - pls have a look and download the version 1.0.0 that
> includes this extension.
>
> Caveat: we have not yet a positive confirmation that this
> extensions works together with .Net - the algorithm we use
> to compute the SKI may differ from the algo .Net WSE uses.
> We use an alog specified in the RFC (RFC3280?).
>
> Regards,
> Werner
>
> > -----Ursprüngliche Nachricht-----
> > Von: Paul Grillo [mailto:[EMAIL PROTECTED]
> > Gesendet: Donnerstag, 11. August 2005 23:39
> > An: [email protected]; [email protected]
> > Betreff: Public Certificate Access using Extension ID 2.5.29.14
> >
> >
> > I am using Axis and WSS4J for security. I am having problems
> > communicating with my vendor when using his public certificate for
> > encrypting. I am able to do the encryption but am not able
> > to send the
> > KeyIdentifier along, which is what he expects
> >
> > In org.apache.ws.security.components.crypto
> >
> > the following is an excerpt when calling to get the SKIBytes, the
> > identifier.
> >
> > the line: byte[] derEncodedValue =
> > cert.getExtensionValue(SKI_OID);
> > returns a null and I get a null pointer later. Bottom line is that
> > there is no extension value of type "2.5.29.14" in the certificate. Is
> > there any other way to get the ID? I don't believe that this
> > extension
> > is required in
> > this extension, but I need to pass along the key identifier.
> > Presumable
> > it exists, in the certificate. Or is that a bad assumption.
> >
> > I'm sort of stuck ... thanks for any help.
> >
> >
> >
> > /**
> > * Reads the SubjectKeyIdentifier information from the
> > certificate.
> > * <p/>
> > * If the the certificate does not contain a SKI extension then
> > * try to compute the SKI according to RFC3280 using the
> > * SHA-1 hash value of the public key. The second method described
> > * in RFC3280 is not support. Also only RSA public keys are
> > supported.
> > * If we cannot compute the SKI throw a WSSecurityException.
> > *
> > * @param cert The certificate to read SKI
> > * @return The byte array conating the binary SKI data
> > */
> > public byte[] getSKIBytesFromCert(X509Certificate cert)
> > throws WSSecurityException {
> > /*
> > * Gets the DER-encoded OCTET string for the extension
> > value (extnValue)
> > * identified by the passed-in oid String. The oid
> > string is represented
> > * by a set of positive whole numbers separated by
> > periods.
> > */
> > byte[] derEncodedValue =
> > cert.getExtensionValue(SKI_OID);
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Davanum Srinivas : http://wso2.com/ - Oxygenating The Web Service Platform
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
