You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Andrzej Matejko <an...@pro.onet.pl> on 2004/04/21 14:26:37 UTC
KeyInfo - KeyValue vs X509Certificate
Is there any method, function in xsec that checks if KeyValue and
X509Data (X509Certificate) are compatible? (I mean, which checks that
X509Data and KeyValue contains the same public key)?
Or is it better to check it by myself (extract key, compare modulus and
exponent)?
andrzeJ
Re: KeyInfo - KeyValue vs X509Certificate
Posted by Berin Lautenbach <be...@wingsofhermes.org>.
Martin,
It's actually quite (very) common to have a common exponent. But the
different modulus will give you a different public key.
Cheers,
Berin
Martin Labarthe Dubois wrote:
> Hi All,
>
> regarding this,
> is it posible to generate the same PublicKey with two different modules and
> the same exponent????
>
> module
> ALTng/nEXt4jp8tatc1EHqteLwdovwRyueRuuB0Q7PisWn5uzdaCOKhnIkH9BgtlwJJEwd+sYEoU
> 7wIj3NcLlaIg/rypTQz+AlNKmiUIxAYHbCJ1LH3cEBct9HUY4YjleV1cK9Ip6j1INQ6PjzViNMng
> 52RweeSuPi/hm98YafZH
>
> or module
> tOeD+cRe3iOny1q1zUQeq14vB2i/BHK55G64HRDs+Kxafm7N1oI4qGciQf0GC2XAkkTB36xgShTv
> AiPc1wuVoiD+vKlNDP4CU0qaJQjEBgdsInUsfdwQFy30dRjhiOV5XVwr0inqPUg1Do+PNWI0yeDn
> ZHB55K4+L+Gb3xhp9kc=
>
> with exponent
> BAQA
>
> generate certificate ???
> [MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC054P5xF7eI6fLWrXNRB6rXi8HaL8Ecrnkbrg
> d
> EOz4rFp+bs3WgjioZyJB/QYLZcCSRMHfrGBKFO8CI9zXC5WiIP68qU0M/gJTSpolCMQGB2widSx9
> 3BAXLfR1GOGI5XldXCvSKeo9SDUOj481YjTJ4OdkcHnkrj4v4ZvfGGn2RwIDBAQA]
>
>
> ----- Original Message -----
> From: "Andrzej Matejko" <an...@pro.onet.pl>
> To: <se...@xml.apache.org>
> Sent: Wednesday, April 21, 2004 9:26 AM
> Subject: KeyInfo - KeyValue vs X509Certificate
>
>
>
>>Is there any method, function in xsec that checks if KeyValue and
>>X509Data (X509Certificate) are compatible? (I mean, which checks that
>>X509Data and KeyValue contains the same public key)?
>>Or is it better to check it by myself (extract key, compare modulus and
>>exponent)?
>>
>>
>>
>> andrzeJ
>>
>
>
>
>
Re: KeyInfo - KeyValue vs X509Certificate
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
Hi All,
regarding this,
is it posible to generate the same PublicKey with two different modules and
the same exponent????
module
ALTng/nEXt4jp8tatc1EHqteLwdovwRyueRuuB0Q7PisWn5uzdaCOKhnIkH9BgtlwJJEwd+sYEoU
7wIj3NcLlaIg/rypTQz+AlNKmiUIxAYHbCJ1LH3cEBct9HUY4YjleV1cK9Ip6j1INQ6PjzViNMng
52RweeSuPi/hm98YafZH
or module
tOeD+cRe3iOny1q1zUQeq14vB2i/BHK55G64HRDs+Kxafm7N1oI4qGciQf0GC2XAkkTB36xgShTv
AiPc1wuVoiD+vKlNDP4CU0qaJQjEBgdsInUsfdwQFy30dRjhiOV5XVwr0inqPUg1Do+PNWI0yeDn
ZHB55K4+L+Gb3xhp9kc=
with exponent
BAQA
generate certificate ???
[MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC054P5xF7eI6fLWrXNRB6rXi8HaL8Ecrnkbrg
d
EOz4rFp+bs3WgjioZyJB/QYLZcCSRMHfrGBKFO8CI9zXC5WiIP68qU0M/gJTSpolCMQGB2widSx9
3BAXLfR1GOGI5XldXCvSKeo9SDUOj481YjTJ4OdkcHnkrj4v4ZvfGGn2RwIDBAQA]
----- Original Message -----
From: "Andrzej Matejko" <an...@pro.onet.pl>
To: <se...@xml.apache.org>
Sent: Wednesday, April 21, 2004 9:26 AM
Subject: KeyInfo - KeyValue vs X509Certificate
> Is there any method, function in xsec that checks if KeyValue and
> X509Data (X509Certificate) are compatible? (I mean, which checks that
> X509Data and KeyValue contains the same public key)?
> Or is it better to check it by myself (extract key, compare modulus and
> exponent)?
>
>
>
> andrzeJ
>
Re: KeyInfo - KeyValue vs X509Certificate
Posted by Martin Labarthe Dubois <du...@consist.com.ar>.
I used the Apache VerifySignature.java
to verify two XMLs signatures.
One of them made with Apache, the other with another API.
the signatures values are identical, also the certificates, alse the
exponent, but the have different modulus.
So to test I cut the certificate tag to force Apache to verify the
exonent+modulus.
and guess what?
it says that both signatures are valid!
Did i miss something?
The two small XMLs are available and ready to test by the
VerifySignature.java if anyone doesn´t believe this.
Regards.
Martin
Re: KeyInfo - KeyValue vs X509Certificate
Posted by Berin Lautenbach <be...@wingsofhermes.org>.
Scott Cantor wrote:
>>XKMS is a particular example - I can do a LocateRequest for "Berin
>>Lautenbach" as a KeyName. The response could include a RSA key, known
>>to be good, together with a cert for a separate key. Both will be
>>returned in the same KeyInfo structure.
>
>
> If XKMS says to do that, I think they need to read the spec again. ;-)
Or I do :>.
My apologies - you are quite correct (on both counts).
UnverifiedKeyBinding refers to a binding between a KeyInfo element and a
user. So in my search for Berin, it would actually return multiple
KeyInfo elements for multiple keys :
<!-- LocateResult -->
<element name="LocateResult" type="xkms:LocateResultType"/>
<complexType name="LocateResultType">
<complexContent>
<extension base="xkms:ResultType">
<sequence>
<element ref="xkms:UnverifiedKeyBinding" minOccurs="0"
maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
<!-- /LocateResult -->
Cheers,
Berin
RE: KeyInfo - KeyValue vs X509Certificate
Posted by Scott Cantor <ca...@osu.edu>.
> No - there is no validity check between the two. And in fact, because
> of the potential uses of KeyInfo, it *might* be that incompatible key
> values are valid.
Well, technically there is in the sense that a single KeyInfo is only
supposed to represent one key. If you have a KeyValue and a cert, if the
public key didn't match, you're arguably off the spec a little, unless both
sides understand why they're doing it.
> XKMS is a particular example - I can do a LocateRequest for "Berin
> Lautenbach" as a KeyName. The response could include a RSA key, known
> to be good, together with a cert for a separate key. Both will be
> returned in the same KeyInfo structure.
If XKMS says to do that, I think they need to read the spec again. ;-)
-- Scott
Re: KeyInfo - KeyValue vs X509Certificate
Posted by Berin Lautenbach <be...@wingsofhermes.org>.
No - there is no validity check between the two. And in fact, because
of the potential uses of KeyInfo, it *might* be that incompatible key
values are valid.
XKMS is a particular example - I can do a LocateRequest for "Berin
Lautenbach" as a KeyName. The response could include a RSA key, known
to be good, together with a cert for a separate key. Both will be
returned in the same KeyInfo structure.
Cheers,
Berin
Andrzej Matejko wrote:
> Is there any method, function in xsec that checks if KeyValue and
> X509Data (X509Certificate) are compatible? (I mean, which checks that
> X509Data and KeyValue contains the same public key)?
> Or is it better to check it by myself (extract key, compare modulus and
> exponent)?
>
>
>
> andrzeJ
>
>
>