Return-Path: 
 <security-dev-return-5662-apmail-xml-security-dev-archive=xml.apache.org@xml.apache.org>
Delivered-To: apmail-xml-security-dev-archive@www.apache.org
Received: (qmail 82592 invoked from network); 8 Nov 2006 17:59:51 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 8 Nov 2006 17:59:51 -0000
Received: (qmail 11257 invoked by uid 500); 8 Nov 2006 18:00:01 -0000
Delivered-To: apmail-xml-security-dev-archive@xml.apache.org
Received: (qmail 11231 invoked by uid 500); 8 Nov 2006 18:00:00 -0000
Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:security-dev@xml.apache.org>
List-Help: <mailto:security-dev-help@xml.apache.org>
List-Unsubscribe: <mailto:security-dev-unsubscribe@xml.apache.org>
Reply-To: security-dev@xml.apache.org
List-Id: <security-dev.xml.apache.org>
Delivered-To: mailing list security-dev@xml.apache.org
Received: (qmail 10958 invoked by uid 99); 8 Nov 2006 18:00:00 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Nov 2006 09:59:59 -0800
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: neutral (herse.apache.org: local policy)
Received: from [64.233.207.23] (HELO pop-5.dnv.wideopenwest.com)
 (64.233.207.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Nov 2006 09:59:45 -0800
Received: from bytor (d60-65-44-136.col.wideopenwest.com [65.60.136.44])
	by pop-5.dnv.wideopenwest.com (8.11.6/8.11.6) with ESMTP id kA8HxNK22512
	for <security-dev@xml.apache.org>; Wed, 8 Nov 2006 11:59:23 -0600
From: "Scott Cantor" <cantor.2@osu.edu>
To: <security-dev@xml.apache.org>
Subject: RE: DO NOT REPLY [Bug 40921] - XML <X509Certificate> contents
 modified and signature normallly validated.
Date: Wed, 8 Nov 2006 12:59:23 -0500
Message-ID: <004401c7035f$9f467600$6801a8c0@oit.ohiostate.edu>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-reply-to: <3cf41bb90611080944o33fd2811q5e9495432641109@mail.gmail.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-index: AccDXpCIavAM0DEJQI6h/Q/q9DczTAAAIIZg
X-Virus-Checked: Checked by ClamAV on apache.org

> I'm not really all that familiar with the JDK 1.6 API. In looking at
> it I see it changed quite considerably more than I expected, which
> probably explains most of my confusion.  I assumed that the bug was
> against the apache implementation (this is the apache bug database,
> right?), not JDK code.

I've never looked at it. I mainly do C++ anyway, the Java's somebody else
now, mercifully for all the people who hated my Java code.

> So out of curiosity, how does one verify the Signature/KeyInfo match
> up in the JDK 1.6 code?

I don't think that's how I would approach the question. In all cases, I
think the application needs to supply the verification key. The application
MAY choose to examine KeyInfo as part of determining what key to try, but
that's up to it.

In that light, KeyInfo is simply one of many inputs into the process of
determining the key. The critical difference is that in my mind, you start
by identifying the signer, usually based on the message itself, not based on
KeyInfo. From there, you get keying material, or policy to control
certificates that might be in KeyInfo.

Just my two cents.

-- Scott