[xmlsec] PKCS12 certificate chains redux
aleksey at aleksey.com
Fri Apr 11 12:04:39 PDT 2003
First of all, if you want to use existing OpenSSL X509 data and X509
klasses then you *MUST* have "key certificate" in both places.
1) Yes. It makes the code cleaner :) Otherwise, you need to track the
in the chain somehow and there are several corner cases. XML Sec itself
uses keys certificate chain when it writes <dsig:KeyInfo/> element. The
"key ceritificate" is
used by xmlsec-openssl for key extraction only. The separate "key
created because application might have additional requirements for the
2) Well, if you have a key then you can have multiple certificates
the key. So the general answer is "no". However, if you want to find
from the chain that contains the given key then you can simply walk thru
and compare key values. This should be quick operation.
Another story is when you *don't know* the key. Then you need to actualy
verify the certificates, make verification chain and extract key...
Might be epxensive.
On the other hand, if you just want to serialize an
in your proprietary format and you concern about the result size (hardly
these days :) ), then you can simple store key cert separately:
and duplicate key cert in the certification change when you load data.
In order to do
this you just need to "find" key certificate in the list of other
certificates. There is a way to do
this in OpenSSL because key cert is just another reference to one of the
in the list (check OpenSSL x509.h file).
Jesse Pelton wrote:
>Thanks. I hadn't realize that the OpenSSL duplicate operation was
>Please understand, I'm indulging my curiosity here. I don't think I'll do
>anything different based on your explanations. That said, I have a couple
>1) I could imagine that having the key certificate in the same chain as the
>others might simplify certain operations within XMLSec. Are you aware of
>any cases where this is true?
>2) Suppose you want to serialize the contents of a keys store. You're
>interested in efficiency, so you'd prefer to save a single copy of the key
>certificate. Is there an efficient, reliable way to determine which of the
>keys in the chain (if any) is a copy of the key certificate? Presumably one
>could compare the bytes in each, but maybe there's a better way. (Of
>course, you'd have to push the key cert back on the stack when
More information about the xmlsec