You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by "M. D." <mo...@abv.bg> on 2014/03/20 14:37:59 UTC
XMLDsig and XML Signature API
Hello all,
I'm trying to use the santuario api for signing xml documents.
Just a quick question - this may sound stupid but according to the w3 spec http://www.w3.org/TR/xmldsig-core/#sec-X509Data
a KeyInfo tag may contain more than one X509Data elements thus contain more than one embedded certificate.
Then how come the org.apache.xml.security.keys.KeyInfo class have a getX509Certificate() method that returns only one certificate? Do I have a way of obtaining all embedded certificates in the XML?
Thanks in advance for your understanding!
Best regards,
M.D.
Re: XMLDsig and XML Signature API
Posted by Brent Putman <pu...@georgetown.edu>.
I have always understood that the use case for multiple X509Data
elements in a KeyInfo was having the (singular) signing key represented
in distinct PKIs. That would mean 2 distinct X509Certificate entity
certs with the same public key but issued by different authorities, each
living in its own X509Data. Each X509Data could also include other
supporting X509Certifactes for the cert chain from that PKI.
Example: The sender/signer knows that some recipients/validators trust
CA A (only) and some CA B (only). The signer has a cert issued within
the hierarchy of both authority A and authority B, with the same public
key. The signer sends a KeyInfo with support for both by sending 2
X509Datas populated accordingly.
Obviously this is a probably uncommon, niche use case.
On 3/20/14 10:06 AM, Colm O hEigeartaigh wrote:
>
> I don't think there is a valid use-case for having two certificates in
> the KeyInfo of a Signature.
>
> Colm.
>
>
> On Thu, Mar 20, 2014 at 1:37 PM, M. D. <moder@abv.bg
> <ma...@abv.bg>> wrote:
>
> Hello all,
>
> I'm trying to use the santuario api for signing xml documents.
>
> Just a quick question - this may sound stupid but according to the
> w3 spec http://www.w3.org/TR/xmldsig-core/#sec-X509Data
> a KeyInfo tag may contain more than one X509Data elements thus
> contain more than one embedded certificate.
>
> Then how come the org.apache.xml.security.keys.KeyInfo class have
> a getX509Certificate() method that returns only one certificate?
> Do I have a way of obtaining all embedded certificates in the XML?
>
> Thanks in advance for your understanding!
>
> Best regards,
> M.D.
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: XMLDsig and XML Signature API
Posted by Colm O hEigeartaigh <co...@apache.org>.
I don't think there is a valid use-case for having two certificates in the
KeyInfo of a Signature.
Colm.
On Thu, Mar 20, 2014 at 1:37 PM, M. D. <mo...@abv.bg> wrote:
> Hello all,
>
> I'm trying to use the santuario api for signing xml documents.
>
> Just a quick question - this may sound stupid but according to the w3 spec
> http://www.w3.org/TR/xmldsig-core/#sec-X509Data
> a KeyInfo tag may contain more than one X509Data elements thus contain
> more than one embedded certificate.
>
> Then how come the org.apache.xml.security.keys.KeyInfo class have a
> getX509Certificate() method that returns only one certificate? Do I have a
> way of obtaining all embedded certificates in the XML?
>
> Thanks in advance for your understanding!
>
> Best regards,
> M.D.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com