santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "M. D." <mo...@abv.bg>
Subject Re: XMLDsig and XML Signature API
Date Thu, 20 Mar 2014 14:42:38 GMT
 I'm really sorry but you confused me a bit.

I have read the specification and I'm quite familiar with it. It is said that KeyInfo element
may contain multiple X509Data element. X509Data elements may contain multiple X509Certificate
elements.

For example:
<KeyInfo>
     <X509Data> <!-- two pointers to certificate-A -->
       <X509IssuerSerial> 
         <X509IssuerName>CN=TAMURA Kent, OU=TRL, O=IBM, 
           L=Yamato-shi, ST=Kanagawa, C=JP</X509IssuerName>
         <X509SerialNumber>12345678</X509SerialNumber>
       </X509IssuerSerial>
       <X509SKI>31d97bd7</X509SKI> 
     </X509Data>
     <X509Data><!-- single pointer to certificate-B -->
       <X509SubjectName>Subject of Certificate B</X509SubjectName>
     </X509Data>
     <X509Data> <!-- certificate chain -->
       <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
       <X509Certificate>MIICXTCCA..</X509Certificate>
       <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US 
            issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
       <X509Certificate>MIICPzCCA...</X509Certificate>
       <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
       <X509Certificate>MIICSTCCA...</X509Certificate>
     </X509Data>
   </KeyInfo>

My question is how does org.apache.xml.security.keys.KeyInfo.getX509Certificate() behave in
such a case because we have the whole certificate chain embedded in the document. What does
the method return? Can I access all certificates from the chain?

Best regards,
M.D.


 >-------- Оригинално писмо --------
 >От:   Cantor, Scott  
 >Относно: Re: XMLDsig and XML Signature API
 >До:  dev@santuario.apache.org  
 >Изпратено на: Четвъртък, 2014, Март 20 16:30:55 EET
 >
 >
 >On 3/20/14, 10:12 AM, &quot;M. D.&quot;  wrote:
 >
 >> Well why not? Having the whole certificate chain embedded to the xml
 >>seems reasonable, doesn't it?
 >
 >I believe that's represented by multiple X509Certificate elements, but the
 >spec has an example you can look at.
 >
 >-- Scott
 >
 >
 >

Mime
View raw message