[xmlsec] OpenSSL vs mscrypto
Aleksey Sanin
aleksey at aleksey.com
Thu Jan 12 21:13:51 PST 2006
According to the spec, xmldsig application should search
key using *all* the information available in the <dsig:KeyInfo/>
element. Specification *does not* say that X509 certificate
is better than key name and it does not require one to search
in some particular order.
However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/>
sub-elements. For example, look for --enabled-key-data option
for the xmlsec command line application.
I am not sure I understand all the steps you did for
adding/removing certificate to MS stores thus I can not
comment on the validity of your tests or point my finger at
what you did wrong. What I do know that on my computer,
I do see the following results:
> xmlsec verify --crypto mscrypto
--trusted-der d:\upu-cacert.der
d:/edsigned-enveloped.xml
...
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
> xmlsec verify --crypto mscrypto
d:/edsigned-enveloped.xml
...
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "d:/edsigned-enveloped.xml"
which is *exactly* what I expect to see and what I believe
you expect to set too.
And as I usually say, I *DO* accept patches :)
Aleksey
More information about the xmlsec
mailing list