Tejkumar Arora wrote:
> > Hi Aleksey, > > After you read in <X509Data>, you invoke *X509VerifyAndExtractKey to > identify a valid cert that contains the key to be used. > > In *X509VerifyAndExtractKey, you invoke > *X509StoreVerify(x509store, certs_from_<X509Data>, > crls_from_<X509Data>....) > > In *X509StoreVerify, the list of certs you search is > certs_from_<X509Data> + untrusted certs from x509store. A related question: Are you accounting for multiple <X509Data> elements under <KeyInfo> ?. I see in the logic that you call *X509VerifyAndExtractKey immediately after reading one <X509Data> element..... -Tej > > The issue is: why do you add "untrusted certs from x509store.". > I think I know why, but wanted to hear it from you. > > The spec is a bit ambiguous about whether the certs_from_<X509Data> > contains the public key to be used. > > 1. "All certificates appearing in an X509Data element MUST relate > to the validation key by either containing it or being part > of a certification chain that terminates in a certificate containing > the validation key." > > This implies that the key may not be in certs_from_<X509Data> > > 2. "Whenever multiple certificates occur in an X509Data element, at > least one such certificate must contain the public key which verifies > the signature. " > > This implies that the key MUST be in certs_from_<X509Data>. > My feeling is that (2) is talking about all <X509Data> elements > under keyinfo, not just one. > > > thanks, > > -Tej _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
