I'm really sorry but you confused me a bit.
I have read the specification and I'm quite familiar with it. It is said that
KeyInfo element may contain multiple X509Data element. X509Data elements may
contain multiple X509Certificate elements.
For example:
<KeyInfo>
<X509Data> <!-- two pointers to certificate-A -->
<X509IssuerSerial>
<X509IssuerName>CN=TAMURA Kent, OU=TRL, O=IBM,
L=Yamato-shi, ST=Kanagawa, C=JP</X509IssuerName>
<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>
<X509SKI>31d97bd7</X509SKI>
</X509Data>
<X509Data><!-- single pointer to certificate-B -->
<X509SubjectName>Subject of Certificate B</X509SubjectName>
</X509Data>
<X509Data> <!-- certificate chain -->
<!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
<X509Certificate>MIICXTCCA..</X509Certificate>
<!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US
issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
<X509Certificate>MIICPzCCA...</X509Certificate>
<!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
<X509Certificate>MIICSTCCA...</X509Certificate>
</X509Data>
</KeyInfo>
My question is how does
org.apache.xml.security.keys.KeyInfo.getX509Certificate() behave in such a case
because we have the whole certificate chain embedded in the document. What does
the method return? Can I access all certificates from the chain?
Best regards,
M.D.
>-------- Оригинално писмо --------
>От: Cantor, Scott
>Относно: Re: XMLDsig and XML Signature API
>До: [email protected]
>Изпратено на: Четвъртък, 2014, Март 20 16:30:55 EET
>
>
>On 3/20/14, 10:12 AM, "M. D." wrote:
>
>> Well why not? Having the whole certificate chain embedded to the xml
>>seems reasonable, doesn't it?
>
>I believe that's represented by multiple X509Certificate elements, but the
>spec has an example you can look at.
>
>-- Scott
>
>
>
