[xmlsec] X509Data

Jason Dale jdale at fhrd.net
Tue Jul 18 15:01:10 PDT 2006

I've been charged with parsing an XML document that has been digitally
signed.  So far the xmlsec library has been quite useful.  Unfortunately,
I've come across a clause in my spec that seems to befuddle the library. 
I believe it's because of how the spec is written doesn't match how the
XML Digital Signature spec is written.  The author of my spec disagrees,
of course, and claims that his reading is valid, and that libraries assume
things and get lucky.

The offending clause in my spec:

"The entire certificate chain of the signer, including the root
certificate, shall be carried in the KeyInfo element as a sequence of
X509Data elements. Each of the X509Data elements shall correspond to one
certificate in the chain, and contain one X509IssuerSerial element and one
X509Certificate element. The certificates may appear in any order."

The research I've done seems to indicate that the entire certificate chain
must be in one X509Data element.  Unfortunately I've not been able to get
a definitive statement from the XML Digital Signature page that says that.
 While researching this email, I just noticed the bit about the
X509IssuerSerial, and I know that has quite definite constraints, so I may
be able to use it as leverage, but it may not matter in the end.

I have a couple of questions then.  Suppose I am unable to convince the
author that his version is incorrect, and I have to work under those
constraints.  How would you go about it?  I have a few ideas, but I would
appreciate the advice.

Second, a more philosophical question I suppose.  How much of a fight
should I put up on this?  Or am I completely mistaken in my assessment?

Thank you for your time.


More information about the xmlsec mailing list