[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [iaik-ssl] How to obtain a certificate chain
Thanks for the help again.
I guess I didn't explain my problem clearly. Take a B2B scenario.
Company A communicates to its partners through signed XML documents.
When Company A receives a signed XML document, it will
1. Verify the document is signed
2. Verify the document has not been tempered with the enclosing certificate
3. Verify the certificate is from one the trusted partners
Step 3 could be achieved by looking at the issuer and subject of the
4. Verify the certificate chain.
Here is my question starts. HOW COULD I GET THE CHAIN OF CERTIFICATES
ASSOCIATED WITH THE ENCLOSING CERTIFICATE?
At 07:16 AM 12/3/2001 +0000, Nauman Ahmad Khan wrote:
>You can get certificate list from a PKCS7 file[i hope you know what pkcs7
>is]. For that purpose you need to have a pkcs7 file which contains full
>chain of end user certificate to its root issuer. Then you can write the
>InputStream iStream = new FileInputStream("d:/certChain.p7b");
>PKCS7CertList pkcs7 = new PKCS7CertList(iStream);
>X509Certificate  certChain = pkcs7.getCertificateList();
>now you can use this as i explained below in previous email.
>Hope it help,
>----Original Message Follows----
>From: Lei Gu <email@example.com>
>To: "Nauman Ahmad Khan" <firstname.lastname@example.org>, email@example.com,
>Subject: Re: [iaik-ssl] How to obtain a certificate chain
>Date: Thu, 29 Nov 2001 06:44:11 -0500
>Thanks for your help.
>But my question is in the step one, // Assign the certificate part.
>In order to use the ChainVerifier class, one MUST have a chain of
>certificate first, right? My problem is that when I get an input
>certificate, I need to get the chain for that certificate. And just
>how exactly would I do that??
>At 03:27 AM 11/30/2001 +0000, Nauman Ahmad Khan wrote:
> >You have to do following steps for that.
> >1- First you must have the chain you want to verify, say
> > X509Certificate  certChain = new X509Certificate[SIZE];
> > // Assign the certificate <----- ???????????? How
> > If your certificates are not in arrangement, i mean from lowest end
> >cert to the top CA certificate then you can do this like
> > X509Certificate  arrangedCertChain =
> >iaik.utils.Util.arrangeCertificateChain(certChain, false);
> >2- Then You can write the code like this to verify the chain
> >SimpleChainVerifier objChainVerifier=new SimpleChainVerifier();
> >where trustedCerts is set of certificate with which you want to check the
> >certificate chain should link to complete the certificate path. Then you
> >have to call a function
> >objChainVerifier.verifyChain(arrangedCertChain );
> >IF there is any kind of error, this function will throw an exception,
> >otherwise your chain is verified.
> >Hope it helps
> >Cheers and Have a Good Time
> >Nauman Ahmad Khan
> >Senior Software Architect
> >Ascertia Group
> >----Original Message Follows----
> >From: Lei Gu <firstname.lastname@example.org>
> >To: email@example.com, firstname.lastname@example.org
> >Subject: [iaik-ssl] How to obtain a certificate chain
> >Date: Wed, 28 Nov 2001 08:34:11 -0500
> > >Hi,
> > >I need to verify a certificate chain using ChainVerifier class. But
> > >I need to get the chain of certificate for an input certificate? Then
> > >how could I get the chain of certificates for a particular certificate?
> > >Thanks in advance.
> > >-- Lei Gu
> >Lei Gu @ 4055
> >Mailinglist-archive at
> >To unsubscribe send an email to email@example.com with the folowing
> >UNSUBSCRIBE iaik-ssl
> >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>Lei Gu @ 4055
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Lei Gu @ 4055
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
To unsubscribe send an email to firstname.lastname@example.org with the folowing content: UNSUBSCRIBE iaik-ssl