You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Peter Bristow <pe...@gmail.com> on 2005/02/21 17:20:08 UTC
Ordering of certificates in KeyInfo
Hi
Can anyone tell me if it is dependable that the order certificates
added are added to XMLSignature when signing is the same as that when
reading them out again at verify time. (by adding i mean
XMLCertificate.AddKeyInfo() and reading them out meaning
KeyInfo.itemX509Data(int i) ).
Also It would seem that when you add keys to a certificate it is one
at a time and in a "flat" fashion yet when you read them out you get a
2d array effectively. How do you add multiple certificates at the same
time so you can have a chain inside each X509Data that you read out
rather than a single entry.
It's quite likely I'm barking so have your clue stick ready.
Thanks
Pete
RE: Ordering of certificates in KeyInfo
Posted by Scott Cantor <ca...@osu.edu>.
> concerned about interoperability. No order is implied by the
> certificates stored in an X509Data element.
While this is strictly true, people that aren't using the fairly
well-established convention of signer/intermediate/intermediate/... should
be slapped with a fish. ;-)
Be strict in what you send, liberal in what you accept, and all that.
-- Scott
Re: Ordering of certificates in KeyInfo
Posted by Sean Mullan <Se...@Sun.COM>.
The Apache XMLSec library may maintain the order if you only use it to
sign & verify signatures, but it is a bad assumption to make if you are
concerned about interoperability. No order is implied by the
certificates stored in an X509Data element. Furthermore, the order could
be changed or certificates could be removed or added without affecting
the signature (unless you also sign the KeyInfo). It should be fairly
easy to write a method to check and reorder the certificates based on
issuer/subject names. Or you could use the CertPathBuilder API in J2SE
which can be used to build and validate an X.509 certificate chain with
the standard PKIX algorithm.
--Sean
Peter Bristow wrote:
> Hi
> Can anyone tell me if it is dependable that the order certificates
> added are added to XMLSignature when signing is the same as that when
> reading them out again at verify time. (by adding i mean
> XMLCertificate.AddKeyInfo() and reading them out meaning
> KeyInfo.itemX509Data(int i) ).
> Also It would seem that when you add keys to a certificate it is one
> at a time and in a "flat" fashion yet when you read them out you get a
> 2d array effectively. How do you add multiple certificates at the same
> time so you can have a chain inside each X509Data that you read out
> rather than a single entry.
>
> It's quite likely I'm barking so have your clue stick ready.
>
> Thanks
>
> Pete