You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Scott Cantor <ca...@osu.edu> on 2003/01/22 02:17:30 UTC

Embedding cert chains in KeyInfo

Maybe I'm not seeing the right calls to make, but it doesn't seem like the current API supports the proper way to embed a cert chain
in a ds:KeyInfo element.

If you call sig.addKeyInfo(cert) multiple times, it inserts multiple X509Data elements into the DOM. And if you play tricks like
accessing the X509Data element after inserting one, and then trying to manually insert a second, it just overwrites the first one
when you call X509Data.add().

If you look at http://www.w3.org/TR/xmldsig-core/#sec-X509Data, it indicates that a chain should be sent as:

<KeyInfo>
	<X509Data> <!-- certificate chain -->
       <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
       <X509Certificate>MIICXTCCA..</X509Certificate>
       <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US 
            issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
       <X509Certificate>MIICPzCCA...</X509Certificate>
       <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
       <X509Certificate>MIICSTCCA...</X509Certificate>
     </X509Data>
</KeyInfo>

So far, I can't quite get that result, but perhaps I'm missing something?

I suppose I could just create and manually attach the DOM children directly, but is there a better way?

I suppose the ambiguity derives from the spec, so perhaps the top-level API call should be overloaded to take either a single cert,
or a chain, so it knows which to do?

-- Scott

RE: Embedding cert chains in KeyInfo

Posted by Scott Cantor <ca...@osu.edu>.

> I disagree that you can't add multiple certs to a single 
> X509Data element:
>  
> So for adding Comment nodes, you must do that unnice DOM 
> magic. But for the X509Certificates, you can simply call 
> X509Data.addCertificate(X509Certificate);

Sorry, I didn't care about the comments, they came from the DSig spec and were just to illustrate the chain.

When I call X509Data.addCertificate(X509Certificate) multiple times, I'm not getting three certificates at all. I get only one in
the DOM, so it seemed to be replacing the existing one on the second and third calls.

I'll rewrite that section and verify that again, and then I'll report back. It may be that I accessed the X509Data object in the
wrong way. I think I added it in with addKeyInfo first, and then tried to retrieve it so I could call addCertificate again, so maybe
that does something odd.

Anyway, it still seems like having a quick overload to addKeyInfo that takes an array or Collection of certs might be convenient, so
maybe I'll throw a patch your way.

-- Scott

Re: Embedding cert chains in KeyInfo

Posted by Christian Geuer-Pollmann <ge...@nue.et-inf.uni-siegen.de>.

Hi Scott, 

I disagree that you can't add multiple certs to a single X509Data element:

////////////////////////////////////////////////////////////////////

X509Certificate cert1, cert2, cert3 = ...
Document doc = ...;

KeyInfo keyInfo = new KeyInfo(doc);
X509Data x509Data = new X509Data(doc);

x509Data.getElement().appendChild(doc.createComment(" certificate chain "));
x509Data.getElement().appendChild(doc.createTextNode("\n"));
x509Data.getElement().appendChild(doc.createComment(" certificate chain "));
x509Data.getElement().appendChild(doc.createTextNode("\n"));
x509Data.addCertificate(cert1);
x509Data.getElement().appendChild(doc.createComment(" Intermediate cert "));
x509Data.getElement().appendChild(doc.createTextNode("\n"));
x509Data.addCertificate(cert2);
x509Data.getElement().appendChild(doc.createComment(" Root cert "));
x509Data.getElement().appendChild(doc.createTextNode("\n"));
x509Data.addCertificate(cert3);

keyInfo.add(x509Data);
doc.appendChild(keyInfo.getElement());
XMLUtils.outputDOMc14nWithComments(doc, System.out);

////////////////////////////////////////////////////////////////////

So for adding Comment nodes, you must do that unnice DOM magic. But for the
X509Certificates, you can simply call
X509Data.addCertificate(X509Certificate);


Kind regards,
Christian


--On Dienstag, 21. Januar 2003 20:17 -0500 Scott Cantor <ca...@osu.edu>
wrote:

> Maybe I'm not seeing the right calls to make, but it doesn't seem like
> the current API supports the proper way to embed a cert chain in a
> ds:KeyInfo element.
> 
> If you call sig.addKeyInfo(cert) multiple times, it inserts multiple
> X509Data elements into the DOM. And if you play tricks like accessing the
> X509Data element after inserting one, and then trying to manually insert
> a second, it just overwrites the first one when you call X509Data.add().
> 
> If you look at http://www.w3.org/TR/xmldsig-core/#sec-X509Data, it
> indicates that a chain should be sent as:
> 
> <KeyInfo>
> 	<X509Data> <!-- certificate chain -->
>        <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
>        <X509Certificate>MIICXTCCA..</X509Certificate>
>        <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US 
>             issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
>        <X509Certificate>MIICPzCCA...</X509Certificate>
>        <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
>        <X509Certificate>MIICSTCCA...</X509Certificate>
>      </X509Data>
> </KeyInfo>
> 
> So far, I can't quite get that result, but perhaps I'm missing something?
> 
> I suppose I could just create and manually attach the DOM children
> directly, but is there a better way?
> 
> I suppose the ambiguity derives from the spec, so perhaps the top-level
> API call should be overloaded to take either a single cert, or a chain,
> so it knows which to do?
> 
> -- Scott