[xmlsec] PKCS12 certificate chains

Aleksey Sanin aleksey at aleksey.com
Fri Feb 14 12:54:41 PST 2003

It the time of writing this code I was not sure is the key's cert 
already in the chain or not
(as the result of PKCS12_parse). So I decided to put it in the chain anyway.

>The questions:
>1) Can I rely on this behavior in future releases?
Not sure I understand what you mean by "this behaiviour". The key's cert 
will be in
the chain of other certs.

>2) If so, can I rely on the relevant certificate being the last one in the
>chain? (I'm not sure how the rest of the certificates in the chain are
>ordered, if at all. Maybe the comment is really asking whether the
>certificate should be at the other end of the stack.)
No, you can't. Position in the chain is not the best API you can imagine :)

>3) If the answer to 1 or 2 is "no," is there a safe way to obtain the
>certificate corresponding to the private key?
The right solution requires a small patch in xmlsec: just remember the 
key cert in the "verified" member
of xmlSecX509KeyData structure. It is used for storing key's (verified) 
cert when we load certificates
from XML document. The variable name became slightly incorrect but I can 
live with it :)
You can find patch bellow. It's checked in XMLSEC_0_0_X_BRANCH as well.


Index: src/x509.c
RCS file: /cvs/gnome/xmlsec/src/Attic/x509.c,v
retrieving revision
diff -u -r1.14.2.3 x509.c
--- src/x509.c	5 Feb 2003 17:52:33 -0000
+++ src/x509.c	14 Feb 2003 20:48:06 -0000
@@ -135,9 +135,7 @@
-    /* todo: should we put the key cert into stack */
     sk_X509_push(chain, cert);
     key = xmlSecParseEvpKey(pKey);
     if(key == NULL) {
@@ -158,6 +156,7 @@
     key->x509Data->certs = chain;
+    key->x509Data->verified = cert;

More information about the xmlsec mailing list