[xmlsec] PKCS12 certificate chains redux

Aleksey Sanin aleksey@aleksey.com
Fri, 11 Apr 2003 10:56:29 -0700


Sure :) When you are extracting a key from certificates there is one 
"special" certificate:
the one that actualy contains the key. In the xmlsec-openssl library, 
application may
access this certificate thru the following functions:
        xmlSecOpenSSLKeyDataX509GetKeyCert
        xmlSecOpenSSLKeyDataX509AdoptKeyCert
Since the certificate "duplicate" operation for OpenSSL is only ref 
count increment, I've
decided that it's more simple to have two "copies" of this special 
certificate: one in the
certificates chain and one in the special separate member of the 
xmlSecOpenSSLKeyDataX509
object.

Now if we go back to pkcs12 files, you'll see that we have exactly the 
same situation:
there is a special "key" certificate and all other chain certificates. 
 From an application
point of view, it makes perfect sense to also have access to this "key 
certificate".
And I remember that this was actualy a "feature request" from someone a 
couple months ago :)

As I wrote, ceritficate duplicaton in openssl is cheap. It's possible 
that another xmlsec-crypto
library implementation will have only one copy of the certificate. As 
you can see from the function
names, this is crypto library specific code :)

Aleksey

Jesse Pelton wrote:

>In version 0.1.1, xmlSecOpenSSLAppPkcs12Load() makes two copies of the key
>certificate. One is adopted as a key certificate, the other is adopted in
>the certificate chain.  This is somewhat confusing and a bit inefficient,
>but I imagine there's a reason for the second copy.  Can you explain?
>_______________________________________________
>xmlsec mailing list
>xmlsec@aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>