October 2006 - jbossws-dev - Jboss List Archives

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by scott.stark＠jboss.org

"anil.saldhana(a)jboss.com" wrote : | No user requests have come in this area. Mainly used in smart cards(not sure of other uses). Like you said, unnecessary indirection. I'm not opposed to this driving features, like a new keystore format to allow for these types of certs, as you know I love the idea of smart cards replacing the password hell that exists today. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980191#3980191 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980191

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by scott.stark＠jboss.org

Ok, so we need a basic ca tool set. Its been a while since I looked at ejbca (http://sourceforge.net/projects/ejbca/) so its worth looking at how retargetable it would be for this effort. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980175#3980175 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980175

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by jason.greene＠jboss.com

In addition bc also has utility classes that decode just about every X509 attribtue that exists. For example: http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/asn1/x509/Subje... http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/asn1/x509/Attri... -Jason View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980167#3980167 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980167

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by anil.saldhana＠jboss.com

"scott.stark(a)jboss.org" wrote : "anil.saldhana(a)jboss.com" wrote : I do not think all the constituents of a X509 certificate map to standard JDK classes. An example are the Attribute Certificates that can be issued by the CA as part of a x509 certificate. | Where is this used? I'm not keen on pushing too much to pki management layer. Issuing certs for roles seems like an unnecessary indirection. | No user requests have come in this area. Mainly used in smart cards(not sure of other uses). Like you said, unnecessary indirection. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980163#3980163 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980163

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by jason.greene＠jboss.com

"scott.stark(a)jboss.org" wrote : "jason.greene(a)jboss.com" wrote : | | 1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl. | | | We should just look at whether bouncy castle/ejbca can be leveraged to get a sufficient cert generation capability into our codebase. | Agreed, I know we have some advanced long term goals, but I think just getting a basic tool in to begin with is important. Even if self-signing is all thats supported thats something. "scott.stark(a)jboss.org" wrote : | \Access to any raw attribute seems to exist. What is not generally available is a mechanism to control how to decode a given attribute. I would assume this is going to require ASN/DER classes (should exist in bc or even opends), along with a OID to format handler registry. The latter is core to ldap and so maybe we can leverage the opends schema handling pieces as a way to externalize the cert attribute handling as well. | Yes bc does have ASN/DER decoding: http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/asn1/package-su... If work starts in either of these areas I can try and get some time to work on this if needed. -Jason View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980162#3980162 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980162

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by scott.stark＠jboss.org

"anil.saldhana(a)jboss.com" wrote : I do not think all the constituents of a X509 certificate map to standard JDK classes. An example are the Attribute Certificates that can be issued by the CA as part of a x509 certificate. Where is this used? I'm not keen on pushing too much to pki management layer. Issuing certs for roles seems like an unnecessary indirection. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980159#3980159 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980159

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by scott.stark＠jboss.org

"jason.greene(a)jboss.com" wrote : | 1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl. | We should just look at whether bouncy castle/ejbca can be leveraged to get a sufficient cert generation capability into our codebase. "jason.greene(a)jboss.com" wrote : | 2. Support for subject key identifier code follows (Although, ideally all v3 attributes would be supported) | | | | public static byte[] getSubjectKeyIdentifier(X509Certificate cert) | | { | | // Maybee we should make one ourselves if it isn't there? | | byte[] encoded = cert.getExtensionValue("2.5.29.14"); | | if (encoded == null) | | return null; | | | | // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]] | | int trunc = encoded.length - 4; | | | | byte[] identifier = new byte[trunc]; | | System.arraycopy(encoded, 4, identifier, 0, trunc); | | | | return identifier; | | } | | | Access to any raw attribute seems to exist. What is not generally available is a mechanism to control how to decode a given attribute. I would assume this is going to require ASN/DER classes (should exist in bc or even opends), along with a OID to format handler registry. The latter is core to ldap and so maybe we can leverage the opends schema handling pieces as a way to externalize the cert attribute handling as well. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980154#3980154 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980154

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by jason.greene＠jboss.com

We need 2 things: 1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl. 2. Support for subject key identifier code follows 3. Ideally all v3 attributes would be supported | public static byte[] getSubjectKeyIdentifier(X509Certificate cert) | { | // Maybee we should make one ourselves if it isn't there? | byte[] encoded = cert.getExtensionValue("2.5.29.14"); | if (encoded == null) | return null; | | // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]] | int trunc = encoded.length - 4; | | byte[] identifier = new byte[trunc]; | System.arraycopy(encoded, 4, identifier, 0, trunc); | | return identifier; | } | Let me know how you would like this represented as JIRA issues. -Jason View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980129#3980129 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980129

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - Re: What do we need in terms of x509 cert processing for ws

by anil.saldhana＠jboss.com

I do not think all the constituents of a X509 certificate map to standard JDK classes. An example are the Attribute Certificates that can be issued by the CA as part of a x509 certificate. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980115#3980115 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980115

18 years, 2 months

1
0
0 / 0

[Design of JBoss Web Services] - What do we need in terms of x509 cert processing for ws secu

by scott.stark＠jboss.org

As part of a user issue, I ended up needing to drill into the OtherName value of the SubjectAltName field of an x509 cert. There does not appear to be public apis for doing this as the DER classes are implementation details under the sun.* package namespace. I'm sure I can get equivalents from bouncy castle, but I want to know what is the scope of the x509 cert processing routines we should be providing as part of the jbosssx spis. Can we gather those requirements here and translate those into a http://jira.jboss.com/jira/browse/SECURITY issue. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980109#3980109 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980109

18 years, 2 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jbossws-dev October 2006