Hey guys, I am working on an XKMS implementation, to some extent based on the org.apache.xml.security library.
When validating X509 certificates, I need a smart way of resolving the certificate of the issuer of another certificate. If I get a certificate for validation, I can do one of these: 1) Read the Issuer Distinguished Name (or derivates thereof) 2) Read the X509 extensions, and try to find the Issuer DN and Issuer Serial. My questions are now: *) Can I be sure that the Issuer DN is globally unique, and will identify exactly the certificate I need? ( I would think no, but I'm not sure). *) How do I get the Issuer DN and serial out from the extensions? The only thing I seem to be able to do, is get a Set of OID-strings, of which I presumably need the one called "2.5.29.15" - which, when the cert is printed out, looks like it contains values for "AuthorityKeyIdentifier" and Issuer DN and Issuer Serial. I'm not really familiar with ASN.1, and binary dataformats in general, and the RFC2459 is not much help either. *) How do I resolve a certificate from a Issuer DN, if I don't have it in my database already? Say, if the certificate C to be validated is signed by CA-X, whose certificate is signed by CA-Y, and I have CA-Y's cert in my list of trusted certificate authorities. Am I dependant on the certificate C attaching CA-X's cert, or is there a neat way of looking up a certificate across the 'net? The simple solution is to have a maunally maintained list of trusted certificates, and then looking one of those up based on the Subject DN ( Issuer DN in the certificate to be validated), while calculating that I will never come across two different certificates with the same Subject DN string. In that case, I could try and validate with all the certificates with the same Subject DN, but that doesn't seem very sane... Any comments are welcome - I could really use some feedback. ;-) --- Thanks. Kenneth
