[xmlsec] X509Data sub-element detail ?

Aleksey Sanin aleksey@aleksey.com
Wed, 06 Aug 2003 22:04:47 -0700


>xmlsec sign --pkcs12 keys/EdSign.p12 --output inout/edsigned1.xml
>tmpl/tmpl-EPM-sign.xml  
>
>... This in the template works ...
>
><X509Data>
></X509Data>
>
>... This in the template does not ...
>
><X509Data>
>	<X509SubjectName/>
>	<X509Certificate/>
></X509Data>
>  
>

The second template should work if you are using xmlsec-openssl 1.1.0 or 
xmlsec-nss
from CVS trunk. If you have correct version and it does not work then 
it's probably a bug
somewhere. I would appreciate if you can file a bug report and provide 
as much details
as possible (xmlsec version + crypto, os, templates you are using, 
pkcs12 file if possible).

>Where is the additional X509 detail extracted from ? I tried adding: 
>
>--trusted-der keys/cacert.der
>
>... to the command line to no avail. 
>  
>
This has nothing to do with it. "--trusted-*" options tells xmlsec which 
certs are trusted
when it verifies signature. XMLSec gets certificates from the key. In 
you case, from PKCS12 file.
BTW, do you have a cert in this file?


>I'd also like to include other X509 info like issuer, valid from, valid to,
>cert serial number, etc ...
>  
>
This goes outside the scope of XMLDSig specification [1]. All this 
information is available
inside the cert itself and you can include full certificate using 
<X509Certificate/> node.

Aleksey


[1] http://www.w3.org/TR/xmldsig-core/#sec-X509Data