You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Kenneth Jensen <xm...@gmail.com> on 2005/03/31 16:18:19 UTC
Validating certificates
Hey guys,
I am working on an XKMS implementation, to some extent based on the
org.apache.xml.security library.
When validating X509 certificates, I need a smart way of resolving the
certificate of the issuer of another certificate.
If I get a certificate for validation, I can do one of these:
1) Read the Issuer Distinguished Name (or derivates thereof)
2) Read the X509 extensions, and try to find the Issuer DN and Issuer Serial.
My questions are now:
*) Can I be sure that the Issuer DN is globally unique, and will
identify exactly the
certificate I need? ( I would think no, but I'm not sure).
*) How do I get the Issuer DN and serial out from the extensions? The
only thing I seem to be able to do, is get a Set of OID-strings, of
which I presumably need the one called "2.5.29.15" - which, when the
cert is printed out, looks like it contains values for
"AuthorityKeyIdentifier" and Issuer DN and Issuer Serial. I'm not
really familiar with ASN.1, and binary dataformats in general, and the
RFC2459 is not much help either.
*) How do I resolve a certificate from a Issuer DN, if I don't have it
in my database already? Say, if the certificate C to be validated is
signed by CA-X, whose certificate is signed by CA-Y, and I have CA-Y's
cert in my list of trusted certificate authorities. Am I dependant on
the certificate C attaching CA-X's cert, or is there a neat way of
looking up a certificate across the 'net?
The simple solution is to have a maunally maintained list of trusted
certificates, and then looking one of those up based on the Subject
DN ( Issuer DN in the certificate to be validated), while calculating
that I will never come across two different certificates with the same
Subject DN string. In that case, I could try and validate with all the
certificates with the same Subject DN, but that doesn't seem very
sane...
Any comments are welcome - I could really use some feedback. ;-)
---
Thanks.
Kenneth
Re: Validating certificates
Posted by Vishal Mahajan <vm...@amberpoint.com>.
For validating certificates, instead of writing your own code for
locating the issuer certificate try using the
java.security.cert.CertPathBuilder API. It helps building the
certificate path from the given certificate to its root CA.
Vishal
Kenneth Jensen wrote:
>Hey guys,
>
>I am working on an XKMS implementation, to some extent based on the
>org.apache.xml.security library.
>
>When validating X509 certificates, I need a smart way of resolving the
>certificate of the issuer of another certificate.
>
>If I get a certificate for validation, I can do one of these:
>
>1) Read the Issuer Distinguished Name (or derivates thereof)
>2) Read the X509 extensions, and try to find the Issuer DN and Issuer Serial.
>
>My questions are now:
>*) Can I be sure that the Issuer DN is globally unique, and will
>identify exactly the
> certificate I need? ( I would think no, but I'm not sure).
>
>*) How do I get the Issuer DN and serial out from the extensions? The
>only thing I seem to be able to do, is get a Set of OID-strings, of
>which I presumably need the one called "2.5.29.15" - which, when the
>cert is printed out, looks like it contains values for
>"AuthorityKeyIdentifier" and Issuer DN and Issuer Serial. I'm not
>really familiar with ASN.1, and binary dataformats in general, and the
>RFC2459 is not much help either.
>
>*) How do I resolve a certificate from a Issuer DN, if I don't have it
>in my database already? Say, if the certificate C to be validated is
>signed by CA-X, whose certificate is signed by CA-Y, and I have CA-Y's
>cert in my list of trusted certificate authorities. Am I dependant on
>the certificate C attaching CA-X's cert, or is there a neat way of
>looking up a certificate across the 'net?
>
>The simple solution is to have a maunally maintained list of trusted
>certificates, and then looking one of those up based on the Subject
>DN ( Issuer DN in the certificate to be validated), while calculating
>that I will never come across two different certificates with the same
>Subject DN string. In that case, I could try and validate with all the
>certificates with the same Subject DN, but that doesn't seem very
>sane...
>
>Any comments are welcome - I could really use some feedback. ;-)
>
>---
>Thanks.
>Kenneth
>
>