I'm working on signing an XML document using a X509 certificate. As
part of the signing process, I am appending DSIGKeyInfoX509 information
in the signature (by calling appendX509Data on the DSIGSignature
object). Once that is there, I am manually adding the name of the
certificate, and then using that name to find the certificate when
verifying.
Name meaning...? There aren't really any names that unambiguously work in
the absence of a specific context. DNs are useless as there is no global
PKI, so names are always relative to a deployment scenario.
That's what I figured. Currently we're using the subject name of the
certificate, but I didn't know if there was a standard or not.
Is there a standard as to what types of information should be stored
there?
No. Embedding certificates is far and away the most common approach.
By this do you mean embedding the certificate in the signature? If so,
this sounds like it would work best for us. Do you have any sample
code that does this?
And once the data is stored, is there an automated way of
loading the certificate based on the data?
Most libraries provide some kind of key resolution mechanism. This one
includes a KeyResolver abstraction that returns a key based on a KeyInfo
object, and supports a couple of basic types when the key is inside the XML.
This is useless for real applications, since it just verifies the signature
with a key that is self-evident, but doesn't authenticate the message.
My OpenSAML project includes a ton of additional code around resolving
KeyInfo material into credentials and applying trust mechanisms. It's
extremely complex territory and there are no specs to follow. Shortcuts and
laziness abounds.
-- Scott
I will look into the KeyResolver class and see about overloading it for
our use. Other than that, I guess for now I won't worry about trying
to conform to standards. Thanks for the reply!
Kelly
|
