> I'm not really all that familiar with the JDK 1.6 API. In looking at > it I see it changed quite considerably more than I expected, which > probably explains most of my confusion. I assumed that the bug was > against the apache implementation (this is the apache bug database, > right?), not JDK code.
I've never looked at it. I mainly do C++ anyway, the Java's somebody else now, mercifully for all the people who hated my Java code. > So out of curiosity, how does one verify the Signature/KeyInfo match > up in the JDK 1.6 code? I don't think that's how I would approach the question. In all cases, I think the application needs to supply the verification key. The application MAY choose to examine KeyInfo as part of determining what key to try, but that's up to it. In that light, KeyInfo is simply one of many inputs into the process of determining the key. The critical difference is that in my mind, you start by identifying the signer, usually based on the message itself, not based on KeyInfo. From there, you get keying material, or policy to control certificates that might be in KeyInfo. Just my two cents. -- Scott
