[xmlsec] PKCS12 certificate chains

Jesse Pelton jsp at PKC.com
Fri Feb 14 12:23:34 PST 2003

xmlSecPKCS12ReadKey() in x509.c has the following code:

    ret = PKCS12_parse(p12, pwd, &pKey, &cert, &chain);
     /* todo: should we put the key cert into stack */
    sk_X509_push(chain, cert);

The comment raises the question of whether the key certificate should be
pushed onto the stack, and the next line goes ahead and does it. This is
useful to me, as it gives me a way to get the common name from the
certificate associated with the private key.

The questions:
1) Can I rely on this behavior in future releases?
2) If so, can I rely on the relevant certificate being the last one in the
chain? (I'm not sure how the rest of the certificates in the chain are
ordered, if at all. Maybe the comment is really asking whether the
certificate should be at the other end of the stack.)
3) If the answer to 1 or 2 is "no," is there a safe way to obtain the
certificate corresponding to the private key?


More information about the xmlsec mailing list