Re: Ordering of certificates in KeyInfo

[Sean Mullan]

The Apache XMLSec library may maintain the order if you only use it to 
sign & verify signatures, but it is a bad assumption to make if you are 
concerned about interoperability. No order is implied by the 
certificates stored in an X509Data element. Furthermore, the order could 
be changed or certificates could be removed or added without affecting 
the signature (unless you also sign the KeyInfo). It should be fairly 
easy to write a method to check and reorder the certificates based on 
issuer/subject names. Or you could use the CertPathBuilder API in J2SE 
which can be used to build and validate an X.509 certificate chain with 
the standard PKIX algorithm.

--Sean
Peter Bristow wrote:
Hi 
Can anyone tell me if it is dependable that the order certificates
added are added to XMLSignature when signing is the same as that when
reading them out again at verify time. (by adding i mean
XMLCertificate.AddKeyInfo()  and reading them out meaning
KeyInfo.itemX509Data(int i) ).
Also It would seem that when you add keys to a certificate it is one
at a time and in a "flat" fashion yet when you read them out you get a
2d array effectively. How do you add multiple certificates at the same
time so you can have a chain inside each X509Data that you read out
rather than a single entry.

It's quite likely I'm barking so have your clue stick ready.
Thanks
Pete