You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Peter Bristow <pe...@gmail.com> on 2005/02/21 17:20:08 UTC

Ordering of certificates in KeyInfo

Hi 
Can anyone tell me if it is dependable that the order certificates
added are added to XMLSignature when signing is the same as that when
reading them out again at verify time. (by adding i mean
XMLCertificate.AddKeyInfo()  and reading them out meaning
KeyInfo.itemX509Data(int i) ).
Also It would seem that when you add keys to a certificate it is one
at a time and in a "flat" fashion yet when you read them out you get a
2d array effectively. How do you add multiple certificates at the same
time so you can have a chain inside each X509Data that you read out
rather than a single entry.

It's quite likely I'm barking so have your clue stick ready.

Thanks

Pete

RE: Ordering of certificates in KeyInfo

Posted by Scott Cantor <ca...@osu.edu>.

> concerned about interoperability. No order is implied by the 
> certificates stored in an X509Data element.

While this is strictly true, people that aren't using the fairly
well-established convention of signer/intermediate/intermediate/... should
be slapped with a fish. ;-)

Be strict in what you send, liberal in what you accept, and all that.

-- Scott

Re: Ordering of certificates in KeyInfo

Posted by Sean Mullan <Se...@Sun.COM>.

The Apache XMLSec library may maintain the order if you only use it to 
sign & verify signatures, but it is a bad assumption to make if you are 
concerned about interoperability. No order is implied by the 
certificates stored in an X509Data element. Furthermore, the order could 
be changed or certificates could be removed or added without affecting 
the signature (unless you also sign the KeyInfo). It should be fairly 
easy to write a method to check and reorder the certificates based on 
issuer/subject names. Or you could use the CertPathBuilder API in J2SE 
which can be used to build and validate an X.509 certificate chain with 
the standard PKIX algorithm.

--Sean

Peter Bristow wrote:
> Hi 
> Can anyone tell me if it is dependable that the order certificates
> added are added to XMLSignature when signing is the same as that when
> reading them out again at verify time. (by adding i mean
> XMLCertificate.AddKeyInfo()  and reading them out meaning
> KeyInfo.itemX509Data(int i) ).
> Also It would seem that when you add keys to a certificate it is one
> at a time and in a "flat" fashion yet when you read them out you get a
> 2d array effectively. How do you add multiple certificates at the same
> time so you can have a chain inside each X509Data that you read out
> rather than a single entry.
> 
> It's quite likely I'm barking so have your clue stick ready.
> 
> Thanks
> 
> Pete