[xmlsec] Big patch to xmlsec in recent OpenOffice.org sources

Aleksey Sanin aleksey at aleksey.com
Mon Feb 28 08:01:10 PST 2005


>> 6) src/mscrypto/certkeys.c, xmlSecMSCryptoX509StoreConstructCertsChain()
>> function:
...

As far as I can understand your patch, it *does not* search untrusted
certs store if the certificate is self signed ("if(!selfSigned)...").
And this is exactly what happens in my code:
  1) Search trusted store for the cert subject and return TRUE if found
  2) Check if cert is self signed and return FALSE if it is the case
  3) Search trusted store for the cert issuer, check signature,
     revocation, etc. and return TRUE if everything is OK
  4) Search issuer cert in the list of other input certs, check
     signature, revocation, etc. and return recurse if everything is OK
  5) Search issuer cert in the list of untrusted certs, check signature,
     revocation, etc. and return recurse if everything is OK
	
It seems to me that this covers all the cases and it is not much
different from your code. In your code, step 3) was done after 4) and 5)
and you did it for self signed certs too. But if cert is self signed,
then subject == issuer and you'll find it (or not find it) in the
trusted store on step 1) anyway and there is no need to repeat
the search on step 3) again.


Aleksey




More information about the xmlsec mailing list