-
1. Re: What do we need in terms of x509 cert processing for ws
anil.saldhana Oct 23, 2006 1:29 PM (in response to starksm64)I do not think all the constituents of a X509 certificate map to standard JDK classes. An example are the Attribute Certificates that can be issued by the CA as part of a x509 certificate.
-
2. Re: What do we need in terms of x509 cert processing for ws
jason.greene Oct 23, 2006 2:27 PM (in response to starksm64)We need 2 things:
1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl.
2. Support for subject key identifier code follows (Although, ideally all v3 attributes would be supported)public static byte[] getSubjectKeyIdentifier(X509Certificate cert) { // Maybee we should make one ourselves if it isn't there? byte[] encoded = cert.getExtensionValue("2.5.29.14"); if (encoded == null) return null; // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]] int trunc = encoded.length - 4; byte[] identifier = new byte[trunc]; System.arraycopy(encoded, 4, identifier, 0, trunc); return identifier; }
Let me know how you would like this represented as JIRA issues.
-Jason -
3. Re: What do we need in terms of x509 cert processing for ws
starksm64 Oct 23, 2006 3:21 PM (in response to starksm64)"jason.greene@jboss.com" wrote:
1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl.
We should just look at whether bouncy castle/ejbca can be leveraged to get a sufficient cert generation capability into our codebase."jason.greene@jboss.com" wrote:
2. Support for subject key identifier code follows (Although, ideally all v3 attributes would be supported)public static byte[] getSubjectKeyIdentifier(X509Certificate cert) { // Maybee we should make one ourselves if it isn't there? byte[] encoded = cert.getExtensionValue("2.5.29.14"); if (encoded == null) return null; // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]] int trunc = encoded.length - 4; byte[] identifier = new byte[trunc]; System.arraycopy(encoded, 4, identifier, 0, trunc); return identifier; }
Access to any raw attribute seems to exist. What is not generally available is a mechanism to control how to decode a given attribute. I would assume this is going to require ASN/DER classes (should exist in bc or even opends), along with a OID to format handler registry. The latter is core to ldap and so maybe we can leverage the opends schema handling pieces as a way to externalize the cert attribute handling as well. -
4. Re: What do we need in terms of x509 cert processing for ws
starksm64 Oct 23, 2006 3:35 PM (in response to starksm64)"anil.saldhana@jboss.com" wrote:
I do not think all the constituents of a X509 certificate map to standard JDK classes. An example are the Attribute Certificates that can be issued by the CA as part of a x509 certificate.
Where is this used? I'm not keen on pushing too much to pki management layer. Issuing certs for roles seems like an unnecessary indirection. -
5. Re: What do we need in terms of x509 cert processing for ws
jason.greene Oct 23, 2006 3:42 PM (in response to starksm64)"scott.stark@jboss.org" wrote:
"jason.greene@jboss.com" wrote:
1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl.
We should just look at whether bouncy castle/ejbca can be leveraged to get a sufficient cert generation capability into our codebase.
Agreed, I know we have some advanced long term goals, but I think just getting a basic tool in to begin with is important. Even if self-signing is all thats supported thats something."scott.stark@jboss.org" wrote:
\Access to any raw attribute seems to exist. What is not generally available is a mechanism to control how to decode a given attribute. I would assume this is going to require ASN/DER classes (should exist in bc or even opends), along with a OID to format handler registry. The latter is core to ldap and so maybe we can leverage the opends schema handling pieces as a way to externalize the cert attribute handling as well.
Yes bc does have ASN/DER decoding:
http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/asn1/package-summary.html
If work starts in either of these areas I can try and get some time to work on this if needed.
-Jason -
6. Re: What do we need in terms of x509 cert processing for ws
anil.saldhana Oct 23, 2006 3:43 PM (in response to starksm64)"scott.stark@jboss.org" wrote:
"anil.saldhana@jboss.com" wrote:
I do not think all the constituents of a X509 certificate map to standard JDK classes. An example are the Attribute Certificates that can be issued by the CA as part of a x509 certificate.
Where is this used? I'm not keen on pushing too much to pki management layer. Issuing certs for roles seems like an unnecessary indirection.
No user requests have come in this area. Mainly used in smart cards(not sure of other uses). Like you said, unnecessary indirection. -
7. Re: What do we need in terms of x509 cert processing for ws
jason.greene Oct 23, 2006 3:48 PM (in response to starksm64)In addition bc also has utility classes that decode just about every X509 attribtue that exists.
For example:
http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/asn1/x509/SubjectKeyIdentifier.html
http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/asn1/x509/AttributeCertificate.html
-Jason -
8. Re: What do we need in terms of x509 cert processing for ws
starksm64 Oct 23, 2006 4:06 PM (in response to starksm64)Ok, so we need a basic ca tool set. Its been a while since I looked at ejbca (http://sourceforge.net/projects/ejbca/) so its worth looking at how retargetable it would be for this effort.
-
9. Re: What do we need in terms of x509 cert processing for ws
starksm64 Oct 23, 2006 4:30 PM (in response to starksm64)"anil.saldhana@jboss.com" wrote:
No user requests have come in this area. Mainly used in smart cards(not sure of other uses). Like you said, unnecessary indirection.
I'm not opposed to this driving features, like a new keystore format to allow for these types of certs, as you know I love the idea of smart cards replacing the password hell that exists today. -
10. Re: What do we need in terms of x509 cert processing for ws
anil.saldhana Oct 23, 2006 4:57 PM (in response to starksm64)"scott.stark@jboss.org" wrote:
I'm not opposed to this driving features, like a new keystore format to allow for these types of certs, as you know I love the idea of smart cards replacing the password hell that exists today.
Not sufficient. It is still single factor. There is a real need for two or multi-factor authentication.
SRP (Scott's Robust Password) system also does not make the cut. ;)
Any legal issues (patents, licensing) with bouncy castle api-impl? -
11. Re: What do we need in terms of x509 cert processing for ws
starksm64 Mar 26, 2007 12:52 PM (in response to starksm64)SRP can use an external source for the random number to create two factor authentication. At least one customer has been doing this for years.
The only bc issue is around the IDEA algorithms. We should just drop those from the dist. -
12. Re: What do we need in terms of x509 cert processing for ws
anil.saldhana Mar 28, 2007 4:07 PM (in response to starksm64)Since PKI etc have been broached on this thread, I also want to provide a link to the following lgpl oss project that users may find useful:
http://www.strongkey.org