You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by "Sasvari, Zsolt" <Zs...@softwareag.com> on 2003/02/14 16:42:49 UTC

SKI resolver problem with V1 X509 certificate

Hi,

for our application I tested the subject key identifier (SKI) key resolver
and I encountered a problem. I added a KeyStore StorageResolver to the
KeyInfo object to gain the certificate that belongs to the specified SKI.
Since only a V3 X509 certificate can contain an SKI, for signing and
verifying I use a V3 X509 certificate (sored in a KeyStore) with the
belonging keys but the KeyStore also contains one V1 X509 certificate. Thus
the verification throws an exception("v1 cannot contain SKI") even the right
V3 ceritficate is also in the specified KeyStore because the storage
iterator encounters with the V1 certificate first.

Maybe the XMLSecurityException should be catched in the
X509SKIResolver.engineResolveX509Certificate() where the XMLX509SKI object
is created and continue the cerificate storage iteration even if an
exception was thrown. Or is it an other way solve this problem? Any opinion?

Thanks,
Zsolt