[xmlsec] question: *X509VerifyAndExtractKey
Tejkumar Arora
tej@netscape.com
Wed, 28 May 2003 18:07:34 -0700
Tejkumar Arora wrote:
>
> Hi Aleksey,
>
> After you read in <X509Data>, you invoke *X509VerifyAndExtractKey to
> identify a valid cert that contains the key to be used.
>
> In *X509VerifyAndExtractKey, you invoke
> *X509StoreVerify(x509store, certs_from_<X509Data>,
> crls_from_<X509Data>....)
>
> In *X509StoreVerify, the list of certs you search is
> certs_from_<X509Data> + untrusted certs from x509store.
A related question: Are you accounting for multiple <X509Data>
elements under <KeyInfo> ?.
I see in the logic that you call *X509VerifyAndExtractKey
immediately after reading one <X509Data> element.....
-Tej
>
> The issue is: why do you add "untrusted certs from x509store.".
> I think I know why, but wanted to hear it from you.
>
> The spec is a bit ambiguous about whether the certs_from_<X509Data>
> contains the public key to be used.
>
> 1. "All certificates appearing in an X509Data element MUST relate
> to the validation key by either containing it or being part
> of a certification chain that terminates in a certificate containing
> the validation key."
>
> This implies that the key may not be in certs_from_<X509Data>
>
> 2. "Whenever multiple certificates occur in an X509Data element, at
> least one such certificate must contain the public key which verifies
> the signature. "
>
> This implies that the key MUST be in certs_from_<X509Data>.
> My feeling is that (2) is talking about all <X509Data> elements
> under keyinfo, not just one.
>
>
> thanks,
>
> -Tej