santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tech Rams <techmail...@yahoo.com>
Subject RE: How to uniquely identify a X509 Certificate ?
Date Mon, 29 Aug 2005 16:52:47 GMT
Couple of points actually
1. Not sure how you can avoid signature verification -
the very reason a signature is provided is to ensure
that data is not modified on the way (plus sender
authentication). This means you will have to verify
the signature for every message you receive.

2. one way to uniquely identify a certificate is using
the issuer's DN and serial #. You can get that info
from the certificate. If it is a V3 certificate you
can also use Subject Key Identifier along with the
Subject DN. But I am not sure that could be unique
across certificates issued to the same DN across
multiple CAs. If that risk is not there, you can use
that.




--- Miha Vidmar <miha.vidmar@hermes.si> wrote:

> Hi,
> 
> I'm having a similar sort of a problem, only I'm
> validating certificate
> chains. 
> 
> A unique identifier for certificates could be Issuer
> and certificate serial
> number and are relatively easy to obtain.
> 
> For you i would recommend comparing Issuer.SubjectDN
> and current certificate
> serial number. But it's not 100% safe, since
> multiple CA's can have the same
> SubjectDN (not likely, unless somebody is trying to
> hack). I have yet to
> figure out how to compare Certificate Authority Key
> Identifiers, which would
> be safe to use.
> 
> Miha
> 
> -----Original Message-----
> From: Kr [mailto:babloosony@gmail.com] 
> Sent: Monday, August 29, 2005 3:24 PM
> To: security-dev@xml.apache.org
> Subject: How to uniquely identify a X509 Certificate
> ?
> 
> Hi All,
> 
> Basically I am doing the w3c's
> xml-signature-verification-process for a web
> service on the sevrver side. For this I extract the
> certificate from the
> signature and compare it between requests. Say if I
> get the request for the
> first time then I'll extract the certificate as
> bytes and compute the
> message digest and put it in a java HashMap as key
> (key being Certificates's
> SubjectDN) value object. Next time when the same
> request comes then I'll
> repeat the above process and compare the digest with
> the HashMap values and
> if a match is found then I would avoid signature
> verifiation process. Using
> all this I want to save the time consumed by
> xml-signatuere verification
> process.
> 
> Now my question is, how to uniquely identify a
> certificate. If I open the
> X509 Version 3 Certificate using tools like java
> keytool, KeyStore Explorer
> then I can MD5-Fingerprint and SHA1-Fingerprint and
> I guess these are unique
> to a certficate. Are these fingerprints unique for a
> certificate ? If my
> understanding is correct then are there any java
> API's available for us to
> extract these fingerprints and help me in uniquely
> identifying the
> certificates.
> 
> Please suggest ...
> 
> 
> Thanks & Regards,
> Kr.
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Mime
View raw message