santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vishal Mahajan <>
Subject Re: Validating certificates
Date Thu, 31 Mar 2005 18:16:12 GMT
For validating certificates, instead of writing your own code for 
locating the issuer certificate try using the API. It helps building the 
certificate path from the given certificate to its root CA.


Kenneth Jensen wrote:

>Hey guys, 
>I am working on an XKMS implementation, to some extent based on the
> library.
>When validating X509 certificates, I need a smart way of resolving the
>certificate of the issuer of another certificate.
>If I get a certificate for validation, I can do one of these:
>1) Read the Issuer Distinguished Name (or derivates thereof)
>2) Read the X509 extensions, and try to find the Issuer DN and Issuer Serial.
>My questions are now:
>*) Can I be sure that the Issuer DN is globally unique, and will
>identify exactly the
>   certificate I need? ( I would think no, but I'm not sure).
>*) How do I get the Issuer DN and serial out from the extensions? The
>only thing I seem to  be able to do, is get a Set of OID-strings, of
>which I presumably need the one called "" - which, when the
>cert is printed out, looks like it contains values for
>"AuthorityKeyIdentifier" and Issuer DN and Issuer Serial. I'm not
>really familiar with ASN.1, and binary dataformats in general, and the
>RFC2459 is not much help either.
>*) How do I resolve a certificate from a Issuer DN, if I don't have it
>in my database already? Say, if the certificate C to be validated is
>signed by CA-X, whose certificate is signed by CA-Y, and I have CA-Y's
>cert in my list of trusted certificate authorities. Am I dependant on
>the certificate C attaching CA-X's cert, or is there a neat way of
>looking up a certificate across the 'net?
>The simple solution is to have a maunally maintained list of trusted
>certificates, and then  looking one of those up based on the Subject
>DN ( Issuer DN in the certificate to be validated), while calculating
>that I will never come across two different certificates with the same
>Subject DN string. In that case, I could try and validate with all the
>certificates with the same Subject DN, but that doesn't seem very
>Any comments are welcome - I could really use some feedback. ;-)

View raw message