[xmlsec] X509Data

Jason Dale jdale at fhrd.net
Wed Jul 19 13:12:37 PDT 2006

>> "The entire certificate chain of the signer, including the root
>> certificate, shall be carried in the KeyInfo element as a sequence of
>> X509Data elements. Each of the X509Data elements shall correspond to one
>> certificate in the chain, and contain one X509IssuerSerial element and
> one
>> X509Certificate element. The certificates may appear in any order."
> This is valid.
As written, I'm not sure it's valid, I'll try to explain my reasoning as
we trade quotes below :)

>> The research I've done seems to indicate that the entire certificate
> chain
>> must be in one X509Data element.
> This is wrong.
> Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data
>         [these elements] may appear together one or more than once iff
>         (iff and only if) each instance describes or is related to the
>         same certificate. ...
>         All such elements that refer to a particular individual
> certificate
>         MUST be grouped inside a single X509Data element and if the
> certificate
>         to which they refer appears, it MUST also be in that X509Data
> element.
You've trimmed the first sentence of the paragraph that has the sentence
"All such elements . . . ", I think it's important because I think it has
the elements referred to:

"Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear
MUST refer to the certificate or certificates containing the validation
key.  All such elements . . ."

Now, the spec I have to deal with requires that one X509IssuerSerial
element and one X509Certificate element (for each link in the chain)
appear in separate X509Data elements.  I think the intent for my spec was
to have the X509IssuerSerial element be for a particular link in the
chain.  This is precluded by the above quote I think.  Otherwise then, you
have identical copies of in each X509Data element.  Assuming that we have
a single chain that terminates in a certificate that can validate the
signature, I believe that the copies are precluded by the second sentence
("All such elements . . .").

So, my spec as written conflicts with the digital signature spec because
an X509Data element cannot contain a just a single X509IssuerSerial
element and a single X509Certificate element.  It seems to me that the
only X509Data element that can meet that requirement is the one that
contains the certificate that has the validation key.

However, I had thought that convinced myself that these constraints
together boxed in the requirement that the entire chain need be in the
X509Data element, but I'm not sure now.  Strictly speaking I don't see
anything that says an entire chain must be included, only part of a chain,
if that.  So perhaps the rest of the chain can appear in separate X509Data
tags if the X509Certificate element is the only thing in it?



> The intent is that each X509Data uniquely describes everything known about
> a particular cert.
>         /r$
> --
> SOA Appliances
> Application Integration Middleware

More information about the xmlsec mailing list