[xmlsec] question: *X509VerifyAndExtractKey

Aleksey Sanin aleksey@aleksey.com
Wed, 28 May 2003 18:35:11 -0700


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
<br>
<blockquote type="cite" cite="mid3ED55A18.40208@netscape.com">
  <pre wrap="">The issue is: why do you add "untrusted certs from x509store.".
I think I know why, but wanted to hear it from you.
  </pre>
</blockquote>
First of all, lets make clear that we are talking here about
xmlSecOpenSSL* functions. <br>
Nobody said that other crypto&nbsp; libraries should do the same. Because
OpenSSL just <br>
ignores these certs. This is a workaround for a "todo" in OpenSSL
sources. Probably <br>
other implementations should not do it.<br>
<br>
<blockquote type="cite" cite="mid3ED55A18.40208@netscape.com">
  <pre wrap="">The spec is a bit ambiguous about whether the certs_from_&lt;X509Data&gt;
contains the public key to be used.
  </pre>
</blockquote>
It took some time and few XMLDSig mailing list searches before I
painted the full <br>
picture myself. My understanding is that:<br>
<br>
1) all certs included or pointed to in a single &lt;dsig:X509Data/&gt;
element should<br>
either contain a signature key or be a part of certificates chain that
points to <br>
signature key;<br>
2) one  &lt;dsig:X509Data/&gt; element may contain multiple key
certificates or certificates<br>
chains but all of them (of course) contain *the same* key (for example,
you can put <br>
multiple certs with the same key signed with different root certs);<br>
3) all certs for one certificate chain MUST be placed in one 
&lt;dsig:X509Data/&gt; element.<br>
<br>
Examples (A0,A1,A2 and B0,B1,B2 are certificates chains with same key
in A0 and <br>
B0 certs):<br>
<br>
1.  (good) All in one.<br>
One &lt;dsig:X509Data/&gt; element contain all 6 certs: A0, A1, A2, B0,
B1 and B2.<br>
<br>
2. (good) Two &lt;dsig:X509Data/&gt; elements.<br>
First &lt;dsig:X509Data/&gt; element contain A0, A1 and A2. Second 
&lt;dsig:X509Data/&gt;<br>
element contain B0, B1 and B2.<br>
<br>
3. (bad) Invalid mix.<br>
First  &lt;dsig:X509Data/&gt; element contain A0 and A1. Second 
&lt;dsig:X509Data/&gt; element<br>
has A2, B0, B1 and B2.<br>
<br>
4. (bad) Unrelated cert.<br>
One &lt;dsig:X509Data/&gt; element contain all 6 certs plus one
unrelated cert: A0, A1, A2, B0, <br>
B1, B2 and C (where C is something not related to A's and B's chain and
do not contain<br>
signature key).<br>
<br>
<br>
<br>
Aleksey<br>
<br>
<br>
</body>
</html>