[xmlsec] X509Data sub-element detail ?

Edward Shallow ed.shallow@rogers.com
Thu, 7 Aug 2003 09:59:34 -0400


As always, thanks for the quick reply.

I'm using Igor's Windows binaries which I believe were and still are at =
1.04

Yes the p12 has a cert in it. I can otherwise sign and validate =
documents
signed with it.

As I mentioned the X509 gets populated O.K. in the first template below, =
I'd
just like to get the other details in.

If you are tuning in Igor, is there any chance you will be recompiling =
the
Windows binaries for 1.1.0 any time soon ?

Thanks in advance,
Ed =20


-----Original Message-----
From: xmlsec-admin@aleksey.com [mailto:xmlsec-admin@aleksey.com] On =
Behalf
Of Aleksey Sanin
Sent: August 7, 2003 12:05 AM
To: Edward Shallow
Cc: xmlsec@aleksey.com


>xmlsec sign --pkcs12 keys/EdSign.p12 --output inout/edsigned1.xml=20
>tmpl/tmpl-EPM-sign.xml
>
>... This in the template works ...
>
><X509Data>
></X509Data>
>
>... This in the template does not ...
>
><X509Data>
>	<X509SubjectName/>
>	<X509Certificate/>
></X509Data>
> =20
>

The second template should work if you are using xmlsec-openssl 1.1.0 or
xmlsec-nss from CVS trunk. If you have correct version and it does not =
work
then it's probably a bug somewhere. I would appreciate if you can file a =
bug
report and provide as much details as possible (xmlsec version + crypto, =
os,
templates you are using,
pkcs12 file if possible).

>Where is the additional X509 detail extracted from ? I tried adding:=20
>
>--trusted-der keys/cacert.der
>
>... to the command line to no avail.=20
> =20
>
This has nothing to do with it. "--trusted-*" options tells xmlsec which
certs are trusted when it verifies signature. XMLSec gets certificates =
from
the key. In you case, from PKCS12 file.
BTW, do you have a cert in this file?


>I'd also like to include other X509 info like issuer, valid from, valid =

>to, cert serial number, etc ...
> =20
>
This goes outside the scope of XMLDSig specification [1]. All this
information is available inside the cert itself and you can include full
certificate using <X509Certificate/> node.

Aleksey


[1] http://www.w3.org/TR/xmldsig-core/#sec-X509Data



_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec