[Bulk] Re: [xmlsec] OpenSSL vs mscrypto

Aleksey Sanin aleksey at aleksey.com
Thu Jan 12 21:59:17 PST 2006 

I did not convert or load anything. I just run the two command lines
from your email "as-is" and got results I expect to see. I don't know
what is the problem you have but I think it is clearly that it somehow
related to the setup your have.

Aleksey

Edward Shallow wrote:
> Your messages are very short ?
> 
> There is no mistake with the adding/removing of certs in the MS Store as
> there is only one cert in play here, the public "Test User 1".
> 
> And the .der you are loading from the command line utility.
> 
> You must have converted "Test User 1" to a .cer and loaded into one of the
> MS cert stores. Yes ? 'MY' or 'AddressBook' ?
> 
> You did not use the --enabled-key-data in your example below ? Why did you
> mention it ?
> 
> Just tell me what you did.
> 
> And the .der you are loading from the command line utility
> 
> I rather suspect your binairies are simply newer than Igor's 1.2.8 or you
> are picking up Dmitry's patch and that has fixed it.
> 
> Please be more specific in your explanation.
> 
> Ed 
> 
> 
> 
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
> Behalf Of Aleksey Sanin
> Sent: January 13, 2006 12:14 AM
> To: ed.shallow at rogers.com
> Cc: xmlsec at aleksey.com
> Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto
> 
> According to the spec, xmldsig application should search key using *all* the
> information available in the <dsig:KeyInfo/> element. Specification *does
> not* say that X509 certificate is better than key name and it does not
> require one to search in some particular order.
> 
> However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/>
> sub-elements. For example, look for --enabled-key-data option for the xmlsec
> command line application.
> 
> I am not sure I understand all the steps you did for adding/removing
> certificate to MS stores thus I can not comment on the validity of your
> tests or point my finger at what you did wrong. What I do know that on my
> computer, I do see the following results:
> 
>  > xmlsec verify --crypto mscrypto
>         --trusted-der d:\upu-cacert.der
>         d:/edsigned-enveloped.xml
> ...
> 
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> 
>  > xmlsec verify --crypto mscrypto
> 	d:/edsigned-enveloped.xml
> ...
> 
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file "d:/edsigned-enveloped.xml"
> 
> which is *exactly* what I expect to see and what I believe you expect to set
> too.
> 
> 
> And as I usually say, I *DO* accept patches :)
> 
> Aleksey
> 
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
>

More information about the xmlsec mailing list