You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Andrzej Matejko <an...@pro.onet.pl> on 2004/04/21 14:26:37 UTC

KeyInfo - KeyValue vs X509Certificate

Is there any method, function in xsec that checks if KeyValue and
X509Data (X509Certificate) are compatible? (I mean, which checks that
X509Data and KeyValue contains the same public key)?
Or is it better to check it by myself (extract key, compare modulus and
exponent)?



  andrzeJ

Re: KeyInfo - KeyValue vs X509Certificate

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Martin,

It's actually quite (very) common to have a common exponent.  But the 
different modulus will give you a different public key.

Cheers,
	Berin


Martin Labarthe Dubois wrote:

> Hi All,
> 
> regarding this,
> is it posible to generate the same PublicKey with two different modules and
> the same exponent????
> 
> module
> ALTng/nEXt4jp8tatc1EHqteLwdovwRyueRuuB0Q7PisWn5uzdaCOKhnIkH9BgtlwJJEwd+sYEoU
> 7wIj3NcLlaIg/rypTQz+AlNKmiUIxAYHbCJ1LH3cEBct9HUY4YjleV1cK9Ip6j1INQ6PjzViNMng
> 52RweeSuPi/hm98YafZH
> 
> or module
> tOeD+cRe3iOny1q1zUQeq14vB2i/BHK55G64HRDs+Kxafm7N1oI4qGciQf0GC2XAkkTB36xgShTv
> AiPc1wuVoiD+vKlNDP4CU0qaJQjEBgdsInUsfdwQFy30dRjhiOV5XVwr0inqPUg1Do+PNWI0yeDn
> ZHB55K4+L+Gb3xhp9kc=
> 
> with exponent
> BAQA
> 
> generate certificate ???
> [MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC054P5xF7eI6fLWrXNRB6rXi8HaL8Ecrnkbrg
> d
> EOz4rFp+bs3WgjioZyJB/QYLZcCSRMHfrGBKFO8CI9zXC5WiIP68qU0M/gJTSpolCMQGB2widSx9
> 3BAXLfR1GOGI5XldXCvSKeo9SDUOj481YjTJ4OdkcHnkrj4v4ZvfGGn2RwIDBAQA]
> 
> 
> ----- Original Message -----
> From: "Andrzej Matejko" <an...@pro.onet.pl>
> To: <se...@xml.apache.org>
> Sent: Wednesday, April 21, 2004 9:26 AM
> Subject: KeyInfo - KeyValue vs X509Certificate
> 
> 
> 
>>Is there any method, function in xsec that checks if KeyValue and
>>X509Data (X509Certificate) are compatible? (I mean, which checks that
>>X509Data and KeyValue contains the same public key)?
>>Or is it better to check it by myself (extract key, compare modulus and
>>exponent)?
>>
>>
>>
>>  andrzeJ
>>
> 
> 
> 
>

Re: KeyInfo - KeyValue vs X509Certificate

Posted by Martin Labarthe Dubois <du...@consist.com.ar>.

Hi All,

regarding this,
is it posible to generate the same PublicKey with two different modules and
the same exponent????

module
ALTng/nEXt4jp8tatc1EHqteLwdovwRyueRuuB0Q7PisWn5uzdaCOKhnIkH9BgtlwJJEwd+sYEoU
7wIj3NcLlaIg/rypTQz+AlNKmiUIxAYHbCJ1LH3cEBct9HUY4YjleV1cK9Ip6j1INQ6PjzViNMng
52RweeSuPi/hm98YafZH

or module
tOeD+cRe3iOny1q1zUQeq14vB2i/BHK55G64HRDs+Kxafm7N1oI4qGciQf0GC2XAkkTB36xgShTv
AiPc1wuVoiD+vKlNDP4CU0qaJQjEBgdsInUsfdwQFy30dRjhiOV5XVwr0inqPUg1Do+PNWI0yeDn
ZHB55K4+L+Gb3xhp9kc=

with exponent
BAQA

generate certificate ???
[MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC054P5xF7eI6fLWrXNRB6rXi8HaL8Ecrnkbrg
d
EOz4rFp+bs3WgjioZyJB/QYLZcCSRMHfrGBKFO8CI9zXC5WiIP68qU0M/gJTSpolCMQGB2widSx9
3BAXLfR1GOGI5XldXCvSKeo9SDUOj481YjTJ4OdkcHnkrj4v4ZvfGGn2RwIDBAQA]


----- Original Message -----
From: "Andrzej Matejko" <an...@pro.onet.pl>
To: <se...@xml.apache.org>
Sent: Wednesday, April 21, 2004 9:26 AM
Subject: KeyInfo - KeyValue vs X509Certificate


> Is there any method, function in xsec that checks if KeyValue and
> X509Data (X509Certificate) are compatible? (I mean, which checks that
> X509Data and KeyValue contains the same public key)?
> Or is it better to check it by myself (extract key, compare modulus and
> exponent)?
>
>
>
>   andrzeJ
>

Re: KeyInfo - KeyValue vs X509Certificate

Posted by Martin Labarthe Dubois <du...@consist.com.ar>.

I used the Apache VerifySignature.java
to verify two XMLs signatures.
One of them made with Apache, the other with another API.

the signatures values are identical, also the certificates, alse the
exponent, but the have different modulus.
So to test I cut the certificate tag to force Apache to verify the
exonent+modulus.

and guess what?

it says that both signatures are valid!

Did i miss something?

The two small XMLs are available and ready to test by the
VerifySignature.java if anyone doesn´t believe this.

Regards.
Martin

Re: KeyInfo - KeyValue vs X509Certificate

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Scott Cantor wrote:

>>XKMS is a particular example - I can do a LocateRequest for "Berin 
>>Lautenbach" as a KeyName.  The response could include a RSA key, known 
>>to be good, together with a cert for a separate key.  Both will be 
>>returned in the same KeyInfo structure.
> 
> 
> If XKMS says to do that, I think they need to read the spec again. ;-)

Or I do :>.

My apologies - you are quite correct (on both counts).

UnverifiedKeyBinding refers to a binding between a KeyInfo element and a 
user.  So in my search for Berin, it would actually return multiple 
KeyInfo elements for multiple keys :

    <!-- LocateResult -->
    <element name="LocateResult" type="xkms:LocateResultType"/>
    <complexType name="LocateResultType">
       <complexContent>
          <extension base="xkms:ResultType">
             <sequence>
                <element ref="xkms:UnverifiedKeyBinding" minOccurs="0"
                      maxOccurs="unbounded"/>
             </sequence>
          </extension>
       </complexContent>
    </complexType>
    <!-- /LocateResult -->

Cheers,
	Berin

RE: KeyInfo - KeyValue vs X509Certificate

Posted by Scott Cantor <ca...@osu.edu>.

> No - there is no validity check between the two.  And in fact, because 
> of the potential uses of KeyInfo, it *might* be that incompatible key 
> values are valid.

Well, technically there is in the sense that a single KeyInfo is only
supposed to represent one key. If you have a KeyValue and a cert, if the
public key didn't match, you're arguably off the spec a little, unless both
sides understand why they're doing it.

> XKMS is a particular example - I can do a LocateRequest for "Berin 
> Lautenbach" as a KeyName.  The response could include a RSA key, known 
> to be good, together with a cert for a separate key.  Both will be 
> returned in the same KeyInfo structure.

If XKMS says to do that, I think they need to read the spec again. ;-)

-- Scott

Re: KeyInfo - KeyValue vs X509Certificate

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

No - there is no validity check between the two.  And in fact, because 
of the potential uses of KeyInfo, it *might* be that incompatible key 
values are valid.

XKMS is a particular example - I can do a LocateRequest for "Berin 
Lautenbach" as a KeyName.  The response could include a RSA key, known 
to be good, together with a cert for a separate key.  Both will be 
returned in the same KeyInfo structure.

Cheers,
	Berin

Andrzej Matejko wrote:
> Is there any method, function in xsec that checks if KeyValue and
> X509Data (X509Certificate) are compatible? (I mean, which checks that
> X509Data and KeyValue contains the same public key)?
> Or is it better to check it by myself (extract key, compare modulus and
> exponent)?
> 
> 
> 
>   andrzeJ
> 
> 
>