000022283 - How to verify XML signature with a element that doesn't contain an X.509 Certificate or Raw Public Key Value

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022283
Applies ToRSA BSAFE Cert-J 2.0.1
IssueHow to verify XML signature with a <KeyInfo> element that doesn't contain an X.509 Certificate or Raw Public Key Value
The <KeyInfo> element contains <X509IssuerSerial>, <X509SubjectName>, <X509SKI>
ResolutionRSA BSAFE Cert-J has the ability to map a <KeyInfo> element that contains an <X509IssuerSerial>, <X509SKI> and an <X509SubjectName> to an X.509 Certificate. Cert-J will automatically look up the proper certificate using the bound database context. All that must be done is to add the proper verification certificate to the current database context and pass this CertJ object to the proper XML Signature verification function. For example, given a bound database service, the following function might be useful to add all of the certificates in a given directory:

private void addCerts(DatabaseService dbServiceIn) {
   
   println("Loading certificates ...");
   
   try {

     File certDir = new File (certsDir);            
     String[] certNames = certDir.list();        
     
     for (int i = 0; i < certNames.length; i++) {
       print ("   certs/" + certNames[i] + "...");
       try {          
         dbServiceIn.insertCertificate(CertUtilities.loadX509Certificate("certs/" + certNames[i]));          
         println ("  Success!");
       } catch (Exception anyExc) {
         println ("  Failed!");
       }
     }
           
   } catch (Exception xp) {
     System.out.println("Caught Exception while loading certificates");
     xp.printStackTrace();             
   }
   
 }

When XML Signature verification occurs, the customer should ensure that the proper verify() function is called:

VerificationInfo verificationStatus = xmlSig.verify (certJ, certPathCtx);

Remember, we are providing a virtual "database" of certificates from which to retrieve public keys for signature verification. All trusted certificates must still be added to the certPathCtx.
Legacy Article IDa8736

Attachments

    Outcomes