Hi,
I have been researching about how to check a certificate is signed by root CA(Certifying Authority) or not. i.e., certificate of user is authenticated by third party or not? If certificate is signed by root CA, there is a certificate chain associated with that certificate, each one proving signature of previous one. We can check validity of certificate chain using CertPath class. Whether a certificate is signed by root CA or by user can thus be checked too. We need to have an updated list of all root CAs to check whether third party is accepted as CA or not.
Another question is, are we going to give support for X.509 certificate only, or we want to include PGP certificates too? I have been researching about X.509 yet.
We need to ask user(signer) about using which
Alias(of private key) he wants to sign script. I have written
sample implementation, which by knowing place of user keystore, gets all aliases and certificate is imported.
Regarding where to place methods for checking Script signature, I have found out several things. First of all we need to check whether script is remote script or not? If remote, then we can verify signature and just extract script part and move on as usual. I think it would be nice to put these methods in
internalInject() method of
AbstractScriptEngine class. Here, before calling
inject() method, we can perform above said operations. We can extract script from signature and pass directly the script to
inject().
I would appreciate other ideas in any of the above matters.
