The Apache XMLSec library may maintain the order if you only use it to sign & verify signatures, but it is a bad assumption to make if you are concerned about interoperability. No order is implied by the certificates stored in an X509Data element. Furthermore, the order could be changed or certificates could be removed or added without affecting the signature (unless you also sign the KeyInfo). It should be fairly easy to write a method to check and reorder the certificates based on issuer/subject names. Or you could use the CertPathBuilder API in J2SE which can be used to build and validate an X.509 certificate chain with the standard PKIX algorithm.

--Sean

Peter Bristow wrote:
Hi Can anyone tell me if it is dependable that the order certificates
added are added to XMLSignature when signing is the same as that when
reading them out again at verify time. (by adding i mean
XMLCertificate.AddKeyInfo() and reading them out meaning
KeyInfo.itemX509Data(int i) ).
Also It would seem that when you add keys to a certificate it is one
at a time and in a "flat" fashion yet when you read them out you get a
2d array effectively. How do you add multiple certificates at the same
time so you can have a chain inside each X509Data that you read out
rather than a single entry.


It's quite likely I'm barking so have your clue stick ready.

Thanks

Pete



Reply via email to