santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelly Graus <kelly.gr...@toltech.net>
Subject Re: Standard for embedding KeyInfo
Date Thu, 05 Apr 2007 15:30:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote cite="mid000001c7770d$c9e867c0$5db93740$@2@osu.edu"
 type="cite">
  <blockquote type="cite">
    <pre wrap="">I'm working on signing an XML document using a X509 certificate.  As
part of the signing process, I am appending DSIGKeyInfoX509 information
in the signature (by calling appendX509Data on the DSIGSignature
object).  Once that is there, I am manually adding the name of the
certificate, and then using that name to find the certificate when
verifying.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Name meaning...? There aren't really any names that unambiguously work in
the absence of a specific context. DNs are useless as there is no global
PKI, so names are always relative to a deployment scenario.
  </pre>
</blockquote>
That's what I figured.&nbsp; Currently we're using the subject name of the
certificate, but I didn't know if there was a standard or not.<br>
<blockquote cite="mid000001c7770d$c9e867c0$5db93740$@2@osu.edu"
 type="cite">
  <pre wrap="">
  </pre>
  <blockquote type="cite">
    <pre wrap="">Is there a standard as to what types of information should be stored
    </pre>
  </blockquote>
  <pre wrap=""><!---->there?

No. Embedding certificates is far and away the most common approach.
  </pre>
</blockquote>
By this do you mean embedding the certificate in the signature?&nbsp; If so,
this sounds like it would work best for us.&nbsp; Do you have any sample
code that does this?<br>
<blockquote cite="mid000001c7770d$c9e867c0$5db93740$@2@osu.edu"
 type="cite">
  <pre wrap="">
  </pre>
  <blockquote type="cite">
    <pre wrap="">And once the data is stored, is there an automated way of
loading the certificate based on the data?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Most libraries provide some kind of key resolution mechanism. This one
includes a KeyResolver abstraction that returns a key based on a KeyInfo
object, and supports a couple of basic types when the key is inside the XML.
This is useless for real applications, since it just verifies the signature
with a key that is self-evident, but doesn't authenticate the message.

My OpenSAML project includes a ton of additional code around resolving
KeyInfo material into credentials and applying trust mechanisms. It's
extremely complex territory and there are no specs to follow. Shortcuts and
laziness abounds.

-- Scott

  </pre>
</blockquote>
I will look into the KeyResolver class and see about overloading it for
our use.&nbsp; Other than that, I guess for now I won't worry about trying
to conform to standards.&nbsp; Thanks for the reply!<br>
<br>
Kelly<br>
</body>
</html>

Mime
View raw message