[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-jce] [iaik-ssl] How to obtain a certificate chain



Hello,

an XML signature may contain the whole certificate chain; if so you
may get them out of the signature. If not, you will have to get any
certs required for validation from some other source (e.g. some local
store, LDAP server,...).

Regards,
Dieter Bratko

-----Ursprungliche Nachricht-----
Von: iaik-jce-owner@iaik.tu-graz.ac.at
[mailto:iaik-jce-owner@iaik.tu-graz.ac.at]Im Auftrag von Lei Gu
Gesendet: Sonntag, 02. Dezember 2001 16:56
An: Nauman Ahmad Khan; iaik-jce@iaik.at; iaik-ssl@iaik.at
Betreff: Re: [iaik-jce] [iaik-ssl] How to obtain a certificate chain


Hi Nauman,
Thanks for the help again.
I guess I didn't explain my problem clearly.  Take a B2B scenario.
Company A communicates to its partners through signed XML documents.
When Company A receives a signed XML document, it will
1. Verify the document is signed
2. Verify the document has not been tempered with the enclosing certificate
3. Verify the certificate is from one the trusted partners

Step 3 could be achieved by looking at the issuer and subject of the 
enclosing certificate.

4. Verify the certificate chain.
Here is my question starts. HOW COULD I GET THE CHAIN OF CERTIFICATES
ASSOCIATED WITH THE ENCLOSING CERTIFICATE?

Thanks again.
-- Lei

At 07:16 AM 12/3/2001 +0000, Nauman Ahmad Khan wrote:

>Hi Lei,
>You can get certificate list from a PKCS7 file[i hope you know what pkcs7
>is]. For that purpose you need to have a pkcs7 file which contains full
>chain of end user certificate to its root issuer. Then you can write the
>code like
>
>InputStream iStream = new FileInputStream("d:/certChain.p7b");
>PKCS7CertList pkcs7 = new PKCS7CertList(iStream);
>X509Certificate [] certChain = pkcs7.getCertificateList();
>
>now you can use this as i explained below in previous email.
>
>Hope it help,
>Regards
>Nauman
>
>
>
>----Original Message Follows----
>From: Lei Gu <lgu@lightbridge.com>
>To: "Nauman Ahmad Khan" <lashary@hotmail.com>, iaik-jce@iaik.at,
>iaik-ssl@iaik.at
>Subject: Re: [iaik-ssl] How to obtain a certificate chain
>Date: Thu, 29 Nov 2001 06:44:11 -0500
>
>Hi Nauman,
>Thanks for your help.
>But my question is in the step one, // Assign the certificate part.
>In order to use the ChainVerifier class, one MUST have a chain of
>certificate first, right? My problem is that when I get an input
>certificate, I need to get the chain for that certificate.  And just
>how exactly would I do that??
>Thanks.
>-- Lei
>
>At 03:27 AM 11/30/2001 +0000, Nauman Ahmad Khan wrote:
>
> >Hello,
> >You have to do following steps for that.
> >
> >1- First you must have the chain you want to verify, say
> >    X509Certificate [] certChain = new X509Certificate[SIZE];
> >    // Assign the certificate  <----- ???????????? How
> >    If your certificates are not in arrangement, i mean from lowest end
> >user
> >cert to the top CA certificate then you can do this like
> >    X509Certificate [] arrangedCertChain =
> >iaik.utils.Util.arrangeCertificateChain(certChain, false);
> >
> >2- Then You can write the code like this to verify the chain
> >SimpleChainVerifier objChainVerifier=new SimpleChainVerifier();
> >objChainVerifier.setTrustedCertificates(trustedCerts);
> >
> >where trustedCerts is set of certificate with which you want to check the
> >certificate chain should link to complete the certificate path. Then you
> >have to call a function
> >objChainVerifier.verifyChain(arrangedCertChain );
> >
> >IF there is any kind of error, this function will throw an exception,
> >otherwise your chain is verified.
> >
> >Hope it helps
> >Regards
> >Nauman
> >
> >
> >Cheers and Have a Good Time
> >Nauman Ahmad Khan
> >Senior Software Architect
> >Ascertia Group
> >lashary@hotmail.com
> >
> >
> >
> >----Original Message Follows----
> >From: Lei Gu <lgu@lightbridge.com>
> >To: iaik-jce@iaik.at, iaik-ssl@iaik.at
> >Subject: [iaik-ssl] How to obtain a certificate chain
> >Date: Wed, 28 Nov 2001 08:34:11 -0500
> >
> >
> > >Hi,
> > >I need to verify a certificate chain using ChainVerifier class. But
>don't
> > >I need to get the chain of certificate for an input certificate? Then
> > >how could I get the chain of certificates for a particular certificate?
> > >Thanks in advance.
> > >-- Lei Gu
> >
> >=====================
> >Lei Gu @ 4055
> >lgu@lightbridge.com
> >=====================
> >
> >--
> >Mailinglist-archive at
> >http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
> >
> >To unsubscribe send an email to listserv@iaik.at with the folowing
>content:
> >UNSUBSCRIBE iaik-ssl
> >
> >
> >
> >_________________________________________________________________
> >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>=====================
>Lei Gu @ 4055
>lgu@lightbridge.com
>=====================
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

=====================
Lei Gu @ 4055
lgu@lightbridge.com
=====================

--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce
 


--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl