Ahmet-Kaplan / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

All certificates from KeyInfo not considered in path building process #76

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Try to validate a document containing intermediate certificates in the 
KeyInfo but with each certificate in a separate X509Data.

What is the expected output? What do you see instead?
All certificates from KeyInfo are expected to be considered in the path 
building process. However, the path building fails as only the certificate(s) 
from the first X509Data are considered.

What version of the product are you using?
1.3.0

The attached patch fixes the issue by including all certificates found also 
from the other X509Data (if any).

Original issue reported on code.google.com by markuski...@gmail.com on 7 Feb 2014 at 11:10

GoogleCodeExporter commented 9 years ago
Attaching patch.
Link to downstream ticket in SignServer: https://jira.primekey.se/browse/DSS-727

Original comment by markuski...@gmail.com on 7 Feb 2014 at 11:12

Attachments:

GoogleCodeExporter commented 9 years ago
XML-DSIG has some rules about this: 
http://www.w3.org/TR/xmldsig-core/#sec-X509Data.

It states that X509Data elements should only contain certificates that are part 
of the chain.

Also it states that if multiple X509Certificate are present within the same 
X509Data element, at least one of them should refer to the validation key.

do you think there's value on enforcing these rules? I don't know if Apache 
Santuario is checking this (or the other rules on the link above).

Probably it's better to just collect all the certificates, no matter their 
organization, as suggested on your patch.

Original comment by luis.fgoncalv on 7 Feb 2014 at 11:36

GoogleCodeExporter commented 9 years ago

Original comment by luis.fgoncalv on 7 Feb 2014 at 11:36

GoogleCodeExporter commented 9 years ago
I don't think being a little bit more relaxed than the XML-DSIG specification 
in this aspect would be a problem. There could be documents with totally 
unrelated certificates included but that shouldn't cause any issues.

Original comment by markuski...@gmail.com on 7 Feb 2014 at 1:33

GoogleCodeExporter commented 9 years ago
Agreed. I'll apply the patch when possible. Tks!

Original comment by luis.fgoncalv on 7 Feb 2014 at 2:09

GoogleCodeExporter commented 9 years ago
I ended up also searching for IssuerSerial and SubjectName on all the 
ds:X509Data elements. r254.

Original comment by luis.fgoncalv on 8 Feb 2014 at 12:04