[xmlsec] question: *X509VerifyAndExtractKey

Tejkumar Arora tej@netscape.com
Wed, 28 May 2003 17:53:44 -0700


Hi Aleksey,

After you read in <X509Data>, you invoke *X509VerifyAndExtractKey to
identify a valid cert that contains the key to be used.

In *X509VerifyAndExtractKey, you invoke
         *X509StoreVerify(x509store, certs_from_<X509Data>,
crls_from_<X509Data>....)

In *X509StoreVerify, the list of certs you search is
          certs_from_<X509Data> + untrusted certs from x509store.

The issue is: why do you add "untrusted certs from x509store.".
I think I know why, but wanted to hear it from you.

The spec is a bit ambiguous about whether the certs_from_<X509Data>
contains the public key to be used.

1. "All certificates appearing in an X509Data element MUST relate
to the  validation key by either containing it or being part
of a certification chain that   terminates in a  certificate containing 
the validation key."

This implies that the key may not be in certs_from_<X509Data>

2.  "Whenever multiple certificates occur in an X509Data element, at 
least one such certificate must contain the public key which verifies 
the signature. "

This implies that the key MUST be in certs_from_<X509Data>.
My feeling is that (2) is talking about all <X509Data> elements
under keyinfo, not just one.


thanks,

-Tej