[xmlsec] xmlsec question

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Thu Jul 18 00:16:03 PDT 2002


Aleksey:
  I'm to the point of trying to use the xmlsec utility to verify a signed
document produced by our test web server and signed with a private key whose
public key is certified by a self-signed root cert (i.e., the CA isn't in
the trusted list, it's just our self-signed cert for this purpose). I
probably should provide xmlsec with a "--trusted <pemfile>" in order to
validate that the cert is trusted for this purpose however stepping through
the code in xmlSecX509StoreVerify() it looks like the loop beginning at line
1134 (071202 build) never calls X509_verify_cert() because there's only one
cert, that cert is self-signed (and so passes the first call to
xmlSecX509FindNextChainCert()) and then the loop terminates. So, even if I
had that self-signed cert passed in as a trusted root, it look like the
trusted-root comparison wouldn't ever occur and verification would still
fail. I'm still a newbie in this code base so I apologize if I'm off-base
here but I've worked with x509 stuff before and I believe I understand what
I'm seeing. Meanwhile, I'm trying to get the x509 cert from the webmaster in
a PEM format but wanted to run this by you since it looks like that root key
isn't going to be of immediate help given how the code works at this point.
Any comments/thoughts on how verifications against self-signed cert's should
work would be appreciated. I'm attaching the file I'm passing to the xmlsec
test program just in case you want to pop this into the debugger and take a
look at verifying it. The file contains multiple signed sections of XML but
xmlsec appears to try to validate the first one w/o my having to supply a
--node* reference on the command line -- for now it doesn't matter which one
it tries to validate -- I just need to see it validate one so I can justify
proceeding down this path. 
Thanks!!!!
Ferrell
PS, let me know if I should submit this to the maillist but 

=====================================
Ferrell Moultrie (ferrell at iss.net)
Software Engineer

Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328
Phone:  404-236-2600
Direct: 404-236-2849
Fax:    404-236-2632
http://www.iss.net

Internet Security Systems -- The Power to Protect
=====================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: serverkey.xml
Type: application/octet-stream
Size: 8153 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20020718/400002b2/serverkey.obj


More information about the xmlsec mailing list