Thank you all! This discussion was very helpful!
Best regards, M.D. >-------- Оригинално писмо -------- >От: Brent Putman >Относно: Re: XMLDsig and XML Signature API >До: [email protected] >Изпратено на: Четвъртък, 2014, Март 20 19:01:19 EET > > > I have always understood that the use case for multiple > X509Data elements in a KeyInfo was having the (singular) signing key > represented in distinct PKIs. That would mean 2 distinct X509Certificate entity certs with the same public key but issued by different authorities, each living in its own X509Data. Each X509Data could also include other supporting X509Certifactes for the cert chain from that PKI. > > Example: The sender/signer knows that some recipients/validators trust > CA A (only) and some CA B (only). The signer has a cert issued within the hierarchy of both authority A and authority B, with the same public key. The signer sends a KeyInfo with support for both by sending 2 X509Datas populated accordingly. > > Obviously this is a probably uncommon, niche use case. > > > > On 3/20/14 10:06 AM, Colm O hEigeartaigh wrote: > > I don't think there is a valid use-case for having two > certificates in the KeyInfo of a Signature. > > Colm. > > > On Thu, Mar 20, 2014 at 1:37 PM, M. D. wrote: > Hello all, > > I'm trying to use the santuario api for signing xml > documents. > > Just a quick question - this may sound stupid but according > to the w3 spec http://www.w3.org/TR/xmldsig-core/#sec-X509Data > a KeyInfo tag may contain more than one X509Data elements > thus contain more than one embedded certificate. > > Then how come the org.apache.xml.security.keys.KeyInfo class > have a getX509Certificate() method that returns only one > certificate? Do I have a way of obtaining all embedded > certificates in the XML? > > Thanks in advance for your understanding! > > Best regards, > M.D. > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > >
