santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kenneth Jensen <xml...@gmail.com>
Subject Validating certificates
Date Thu, 31 Mar 2005 14:18:19 GMT
Hey guys, 

I am working on an XKMS implementation, to some extent based on the
org.apache.xml.security library.

When validating X509 certificates, I need a smart way of resolving the
certificate of the issuer of another certificate.

If I get a certificate for validation, I can do one of these:

1) Read the Issuer Distinguished Name (or derivates thereof)
2) Read the X509 extensions, and try to find the Issuer DN and Issuer Serial.

My questions are now:
*) Can I be sure that the Issuer DN is globally unique, and will
identify exactly the
   certificate I need? ( I would think no, but I'm not sure).

*) How do I get the Issuer DN and serial out from the extensions? The
only thing I seem to  be able to do, is get a Set of OID-strings, of
which I presumably need the one called "2.5.29.15" - which, when the
cert is printed out, looks like it contains values for
"AuthorityKeyIdentifier" and Issuer DN and Issuer Serial. I'm not
really familiar with ASN.1, and binary dataformats in general, and the
RFC2459 is not much help either.

*) How do I resolve a certificate from a Issuer DN, if I don't have it
in my database already? Say, if the certificate C to be validated is
signed by CA-X, whose certificate is signed by CA-Y, and I have CA-Y's
cert in my list of trusted certificate authorities. Am I dependant on
the certificate C attaching CA-X's cert, or is there a neat way of
looking up a certificate across the 'net?

The simple solution is to have a maunally maintained list of trusted
certificates, and then  looking one of those up based on the Subject
DN ( Issuer DN in the certificate to be validated), while calculating
that I will never come across two different certificates with the same
Subject DN string. In that case, I could try and validate with all the
certificates with the same Subject DN, but that doesn't seem very
sane...

Any comments are welcome - I could really use some feedback. ;-)

---
Thanks.
Kenneth

Mime
View raw message