santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Cantor" <>
Subject RE: DO NOT REPLY [Bug 40921] - XML <X509Certificate> contents modified and signature normallly validated.
Date Wed, 08 Nov 2006 17:59:23 GMT
> I'm not really all that familiar with the JDK 1.6 API. In looking at
> it I see it changed quite considerably more than I expected, which
> probably explains most of my confusion.  I assumed that the bug was
> against the apache implementation (this is the apache bug database,
> right?), not JDK code.

I've never looked at it. I mainly do C++ anyway, the Java's somebody else
now, mercifully for all the people who hated my Java code.

> So out of curiosity, how does one verify the Signature/KeyInfo match
> up in the JDK 1.6 code?

I don't think that's how I would approach the question. In all cases, I
think the application needs to supply the verification key. The application
MAY choose to examine KeyInfo as part of determining what key to try, but
that's up to it.

In that light, KeyInfo is simply one of many inputs into the process of
determining the key. The critical difference is that in my mind, you start
by identifying the signer, usually based on the message itself, not based on
KeyInfo. From there, you get keying material, or policy to control
certificates that might be in KeyInfo.

Just my two cents.

-- Scott

View raw message