[xmlsec] question: *X509VerifyAndExtractKey

Tejkumar Arora tej@netscape.com
Wed, 28 May 2003 18:07:34 -0700


Tejkumar Arora wrote:

 >
 > Hi Aleksey,
 >
 > After you read in <X509Data>, you invoke *X509VerifyAndExtractKey to
 > identify a valid cert that contains the key to be used.
 >
 > In *X509VerifyAndExtractKey, you invoke
 >          *X509StoreVerify(x509store, certs_from_<X509Data>,
 > crls_from_<X509Data>....)
 >
 > In *X509StoreVerify, the list of certs you search is
 >           certs_from_<X509Data> + untrusted certs from x509store.

A related question: Are you accounting for multiple <X509Data>
elements under <KeyInfo> ?.

I see in the logic that you call *X509VerifyAndExtractKey
immediately after reading one <X509Data> element.....


-Tej

 >
 > The issue is: why do you add "untrusted certs from x509store.".
 > I think I know why, but wanted to hear it from you.
 >
 > The spec is a bit ambiguous about whether the certs_from_<X509Data>
 > contains the public key to be used.
 >
 > 1. "All certificates appearing in an X509Data element MUST relate
 > to the  validation key by either containing it or being part
 > of a certification chain that   terminates in a  certificate containing
 > the validation key."
 >
 > This implies that the key may not be in certs_from_<X509Data>
 >
 > 2.  "Whenever multiple certificates occur in an X509Data element, at
 > least one such certificate must contain the public key which verifies
 > the signature. "
 >
 > This implies that the key MUST be in certs_from_<X509Data>.
 > My feeling is that (2) is talking about all <X509Data> elements
 > under keyinfo, not just one.
 >
 >
 > thanks,
 >
 > -Tej