'RE: [jira] Created: (WSS-200) Compliance with X.509 Certificate Token Profile'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    RE: [jira] Created: (WSS-200) Compliance with X.509 Certificate Token Profile
From:       "Dittmann, Werner (NSN - DE/Munich)" <werner.dittmann () nsn ! com>
Date:       2009-06-18 10:58:50
Message-ID: D1FA621591E24549BA3C339EC9C2BC7201E749B2 () DEMUEXC014 ! nsn-intra ! net
[Download RAW message or body]

Just checked this: this is the WSS4J handler key identifier code
"X509KeyIdentifier", the tool should use "SKIKeyIdentifier"
instead.

Or, if the tool uses it programatically:
WSConstants.SKI_KEY_IDENTIFIER instead of WSConstants.X509_KEY_IDENTIFIER

The X509KeyIdentifier was defined in X509 profile of 
WS Security V1.0 (AFAIK not in 1.1 anymore) but this is
backward compatibilty with 1.0 .

Regards,
Werner

> -----Original Message-----
> From: ext Dittmann, Werner (NSN - DE/Munich) 
> [mailto:werner.dittmann@nsn.com] 
> Sent: Thursday, June 18, 2009 12:18 PM
> To: ext Mattias Sjölén (JIRA); wss4j-dev@ws.apache.org
> Subject: RE: [jira] Created: (WSS-200) Compliance with X.509 
> Certificate Token Profile
> 
> WSS4J support several key identifier types, for example
> SKI (Subject Key Identifier), X509v3, thumbprint and
> others. It is the task of the software that uses WSS4J
> library to select the key identifier type, thus the
> "Java based tool om Windows" sould set the correct
> parameters. Where do you (or the "tool") specify which
> key identifier type (profile) to use?
> 
> Regards,
> Werner
> 
> > -----Original Message-----
> > From: ext Mattias Sjölén (JIRA) [mailto:jira@apache.org] 
> > Sent: Wednesday, June 17, 2009 7:54 PM
> > To: wss4j-dev@ws.apache.org
> > Subject: [jira] Created: (WSS-200) Compliance with X.509 
> > Certificate Token Profile
> > 
> > Compliance with X.509 Certificate Token Profile
> > -----------------------------------------------
> > 
> >                  Key: WSS-200
> >                  URL: https://issues.apache.org/jira/browse/WSS-200
> >              Project: WSS4J
> >           Issue Type: Bug
> >           Components: WSS4J Core
> >     Affects Versions: 1.5.7
> >          Environment: I have been running a Java based tool 
> > om Windows that have wss4j-1.5.7.jar in it's lib folder so I 
> > quess that WSS4J is used internaly by the tool.
> >             Reporter: Mattias Sjölén
> >             Assignee: Ruchith Udayanga Fernando
> > 
> > 
> > Chapter "3.2.1 Reference to an X.509 Subject Key Identifier" 
> > in the "Certificate Token Profile 1.1" specification states 
> > the following - "The <wsse:KeyIdentifier> element MUST have a 
> > ValueType attribute with the value #X509SubjectKeyIdentifier 
> > and its contents MUST be the value of the certificate's 
> > X.509v3 SubjectKeyIdentifier extension, encoded as per the 
> > <wsse:KeyIdentifier> element's EncodingType attribute."
> > 
> > The tool I use signs an outgoing xml according to the 
> > specified policy and it will then contain the following tags:
> > <wsse:SecurityTokenReference wsu:Id="STRId-14A576A8..." 
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > -wss-wssecurity-utility-1.0.xsd">
> >   <wsse:KeyIdentifier 
> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200
> 401-wss-soap-message-security-1.0#Base64Binary" > 
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > -wss-x509-token-profile-1.0#X509v3">
> >     MIIEFzCCAv+gA...
> >   </wsse:KeyIdentifier>
> > </wsse:SecurityTokenReference>
> > 
> > Notice that the ValueType for the KeyIdentifier is #X509v3 
> > instead of #X509SubjectKeyIdentifier
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401
> > -wss-x509-token-profile-1.0#X509v3"
> > 
> > If I perform a Base64Decode on the value inside tha tag it 
> > contains a X.509 Certifikate and not a Subject Key Identifier
> > 
> > -- 
> > This message is automatically generated by JIRA.
> > -
> > You can reply to this email to add a comment to the issue online.
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic