[xmlsec] Big patch to xmlsec in recent OpenOffice.org sources
Andrew Fan
Xuelei.Fan at Sun.COM
Sun Feb 27 23:30:05 PST 2005
Aleksey Sanin wrote:
> 6) src/mscrypto/certkeys.c, xmlSecMSCryptoX509StoreConstructCertsChain()
> function:
> The new code tries to construct a certs chain for a self-signed cert
> even if it is not found in the trusted store. I believe, this is
> incorrect. If we can not find self-signed cert in the trusted
> certs store, then we just need to return FALSE (can't construct trusted
> certs chain). I modified the code to do exactly that and it passes
> all my tests. Hope it will work for you too.
>
I think you make a little misunderstanding on the cert chain building.
It don't try to find self-signed cert from untrusted store, it is try to
find non-self-signed from the untrusted store, i.e., try to find the
mid-ca-cert from untrusted store. Firstly, it will try to find a cert (
self-signed or no ) from key store ( which will enable that when a
cert's used to signature, it can be found from key store; the trusted
cert should first be find in a small size store instead of searching a
much large store. ) ; then, if is found, and it's not a self-signed
cert, we will continue search it at untrusted store; finally, the last
cert must can be find in the trusted store, otherwise, we'll deny to
trust the chain. I think the process is correct.
Why I provide the patch? Firstly, I want to find the user personal
certificate with private key pair during signning. If I only search
self-signed certificate in trusted store, it will be fail in the cases
that no complete cert chains are placed in the store, it's a common way
that the user only have one personal cert with private key pair. How to
validate the signature is the responsibility of the receipter( third
user should get root cert from his key store ), and certainly, the
signer must be able validate the signature( myself should only get my
private key and personal certificate, definitely, I trust myself cert ).
Secondly, for performance, in business large scale PKI, it is a time
consumer to search a cert from cert store, here I'll find try to find
some locally( from key store ). Thirdly, definitely, I must trust the
cert found from key store, whether or not it is a root cert or a
personal cert.
I'm not 100% sure, I think your code will be failed to find private key
from a signature template during signning.
Thanks,
Andrew
More information about the xmlsec
mailing list