Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] encoding an X.509 certificate

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] encoding an X.509 certificate


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] encoding an X.509 certificate
  • Date: Wed, 05 Nov 2008 15:02:43 +0100
  • Openpgp: id=146B2514
  • Organization: SWITCH

A certificate can never be encoded in DER format and within content of
an XML element. You can either have semi-PEM (DER-encoded that is then
Base64 encoded) or true PEM encoded (DER-encoded that is Base64 encoded
plus appropriate headers). Pretty sure the OpenSAML library handles
either semi-PEM and true-PEM formats (PKCS8 is a subset of this). It
does also handle DER, but as I said, you can't put that in as the
contents of an XML element.

Tom Scavo wrote:
> Currently there are three profiles before the OASIS Security Services
> Technical Committee (SSTC) that rely on XML elements of the form:
>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <ds:X509Data>
> <ds:X509Certificate>
> MIIDuDCC...
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
>
> Interestingly, the above element has sparked a vigorous debate within
> the SSTC, which has spread to the W3C XML Signature WG. The issue
> involves the ASN.1 encoding of the underlying certificate.
> Specifically, should the certificate be DER-encoded or should the
> encoding be left unspecified?
>
> So my question is: If you were given an X.509 certificate of unknown
> encoding, could you determine the encoding by simply inspecting the
> bytes? Does the OpenSAML library support such a function?
>
> Thanks for shedding some light on this issue.
>
> Tom

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page