0

We have a service receiving a loot of signed XML documents, some of them are signed with a self-signed certificate and some are signed from a trusted certificate authority.

What is the best way to make sure the certificate used to sign the XML document is in a list of certificates we trust?

Today we are matching the certificates thumbprint against a list of accepted certificate thumbprints.

Can we trust the thumbprint to be unique - or is it possible to fake this?

What would be the best way to solve this? (we cannot make everybody sending signed xml documents use certificates from a trusted certificate authority)

Mr Zach
  • 247
  • 1
  • 6

1 Answers1

1

If you are using the standard XML Signature syntax, then the optional KeyInfo may carry the actual certificate to use.

You should be using the thumbprint of the certificate from the KeyInfo to match against the list of accepted certificates, and then validating the actual signature against a copy of that certificate from your own store of trusted certificates. If the actual certificate used in signing the document is different, the validation step will fail, the document should be rejected and someone should hopefully investigate further.

The certificate thumbprint should be complex enough that the probability of having two certificates with the same thumbprint by accident should be negligible. But even if it happens (perhaps by malice), it should only cause a wrong certificate to be chosen for the signature validation process, which should definitely cause the validation to fail.

But if you are validating the document with the certificate that comes with the document itself and then checking that the certificate thumbprint matches one of the trusted certificates, you are Doing It Wrong: you're essentially using the thumbprints of the trusted certificates as passwords.

telcoM
  • 4,448
  • 15
  • 25
  • I'm assuming in the case of a "real" certificate (which the recipient might not have a copy of), the process would need to use the provided certificate, but then verify this certificate chain up to a trusted root the recipient does have? If the certificate is self signed, then the recipient would need to be given a copy of this (via some other means not discussed here) first before accepting documents. – USD Matt Feb 20 '18 at 11:46
  • You should also check that the certificate hasn't been revoked. Each certificate should contain information about where to find revocation information, either online as OCSP or as a list of revoked certificates, a CRL. – Jenny D Feb 21 '18 at 07:16