[prev in list] [next in list] [prev in thread] [next in thread]
List: wss4j-dev
Subject: RE: [jira] Created: (WSS-200) Compliance with X.509 Certificate Token Profile
From: "Dittmann, Werner (NSN - DE/Munich)" <werner.dittmann () nsn ! com>
Date: 2009-06-18 10:58:50
Message-ID: D1FA621591E24549BA3C339EC9C2BC7201E749B2 () DEMUEXC014 ! nsn-intra ! net
[Download RAW message or body]
Just checked this: this is the WSS4J handler key identifier code
"X509KeyIdentifier", the tool should use "SKIKeyIdentifier"
instead.
Or, if the tool uses it programatically:
WSConstants.SKI_KEY_IDENTIFIER instead of WSConstants.X509_KEY_IDENTIFIER
The X509KeyIdentifier was defined in X509 profile of
WS Security V1.0 (AFAIK not in 1.1 anymore) but this is
backward compatibilty with 1.0 .
Regards,
Werner
> -----Original Message-----
> From: ext Dittmann, Werner (NSN - DE/Munich)
> [mailto:werner.dittmann@nsn.com]
> Sent: Thursday, June 18, 2009 12:18 PM
> To: ext Mattias Sjölén (JIRA); wss4j-dev@ws.apache.org
> Subject: RE: [jira] Created: (WSS-200) Compliance with X.509
> Certificate Token Profile
>
> WSS4J support several key identifier types, for example
> SKI (Subject Key Identifier), X509v3, thumbprint and
> others. It is the task of the software that uses WSS4J
> library to select the key identifier type, thus the
> "Java based tool om Windows" sould set the correct
> parameters. Where do you (or the "tool") specify which
> key identifier type (profile) to use?
>
> Regards,
> Werner
>
> > -----Original Message-----
> > From: ext Mattias Sjölén (JIRA) [mailto:jira@apache.org]
> > Sent: Wednesday, June 17, 2009 7:54 PM
> > To: wss4j-dev@ws.apache.org
> > Subject: [jira] Created: (WSS-200) Compliance with X.509
> > Certificate Token Profile
> >
> > Compliance with X.509 Certificate Token Profile
> > -----------------------------------------------
> >
> > Key: WSS-200
> > URL: https://issues.apache.org/jira/browse/WSS-200
> > Project: WSS4J
> > Issue Type: Bug
> > Components: WSS4J Core
> > Affects Versions: 1.5.7
> > Environment: I have been running a Java based tool
> > om Windows that have wss4j-1.5.7.jar in it's lib folder so I
> > quess that WSS4J is used internaly by the tool.
> > Reporter: Mattias Sjölén
> > Assignee: Ruchith Udayanga Fernando
> >
> >
> > Chapter "3.2.1 Reference to an X.509 Subject Key Identifier"
> > in the "Certificate Token Profile 1.1" specification states
> > the following - "The <wsse:KeyIdentifier> element MUST have a
> > ValueType attribute with the value #X509SubjectKeyIdentifier
> > and its contents MUST be the value of the certificate's
> > X.509v3 SubjectKeyIdentifier extension, encoded as per the
> > <wsse:KeyIdentifier> element's EncodingType attribute."
> >
> > The tool I use signs an outgoing xml according to the
> > specified policy and it will then contain the following tags:
> > <wsse:SecurityTokenReference wsu:Id="STRId-14A576A8..."
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > -wss-wssecurity-utility-1.0.xsd">
> > <wsse:KeyIdentifier
> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200
> 401-wss-soap-message-security-1.0#Base64Binary" >
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > -wss-x509-token-profile-1.0#X509v3">
> > MIIEFzCCAv+gA...
> > </wsse:KeyIdentifier>
> > </wsse:SecurityTokenReference>
> >
> > Notice that the ValueType for the KeyIdentifier is #X509v3
> > instead of #X509SubjectKeyIdentifier
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > -wss-x509-token-profile-1.0#X509v3"
> >
> > If I perform a Base64Decode on the value inside tha tag it
> > contains a X.509 Certifikate and not a Subject Key Identifier
> >
> > --
> > This message is automatically generated by JIRA.
> > -
> > You can reply to this email to add a comment to the issue online.
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic