[xmlsec] PKCS12 certificate chains redux
Aleksey Sanin
aleksey at aleksey.com
Fri Apr 11 10:56:29 PDT 2003
Sure :) When you are extracting a key from certificates there is one
"special" certificate:
the one that actualy contains the key. In the xmlsec-openssl library,
application may
access this certificate thru the following functions:
xmlSecOpenSSLKeyDataX509GetKeyCert
xmlSecOpenSSLKeyDataX509AdoptKeyCert
Since the certificate "duplicate" operation for OpenSSL is only ref
count increment, I've
decided that it's more simple to have two "copies" of this special
certificate: one in the
certificates chain and one in the special separate member of the
xmlSecOpenSSLKeyDataX509
object.
Now if we go back to pkcs12 files, you'll see that we have exactly the
same situation:
there is a special "key" certificate and all other chain certificates.
From an application
point of view, it makes perfect sense to also have access to this "key
certificate".
And I remember that this was actualy a "feature request" from someone a
couple months ago :)
As I wrote, ceritficate duplicaton in openssl is cheap. It's possible
that another xmlsec-crypto
library implementation will have only one copy of the certificate. As
you can see from the function
names, this is crypto library specific code :)
Aleksey
Jesse Pelton wrote:
>In version 0.1.1, xmlSecOpenSSLAppPkcs12Load() makes two copies of the key
>certificate. One is adopted as a key certificate, the other is adopted in
>the certificate chain. This is somewhat confusing and a bit inefficient,
>but I imagine there's a reason for the second copy. Can you explain?
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
More information about the xmlsec
mailing list