[xmlsec] FW: Valid To has passed

Ed Shallow ed.shallow at rogers.com
Sun Sep 9 18:02:47 PDT 2007


Here are the results of my last test ... 

I performed what you suggested. This is what I received on the verify ...

C:\XMLSec>xmlsec verify --crypto mscrypto --enabled-key-data
"rsa,x509,raw-x509-cert" --verification-time "2007-09-06 09:00:00"
inout/edsigned-enveloped-Entrust .xml
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS
ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=0
(0x00000000) ;last error msg=The operation completed successfully.

func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn
own:subj=unknown:error=45:key is not found: ;last error=0 (0x00000000);last
error ms g=The operation completed successfully.

func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un
known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function
failed: ; last error=0 (0x00000000);last error msg=The operation completed
successfully.

func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml
SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last
error=0  (0x00000000);last error msg=The operation completed successfully.

Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "inout/edsigned-enveloped-Entrust.xml"



If I set the --verification-time before expiry say on 2007-08-30 09:00:00"
it still fails.

Strange ???

I would prefer that the sign fail if the key is expired. This is how the
other CAPI desktop products work. 

Ed

P.S. I re-built on Rev 984 from the SVN trunk.

 

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com]
Sent: Wednesday, September 05, 2007 10:44 AM
To: Ed Shallow
Cc: xmlsec at aleksey.com; 'Wouter'
Subject: Re: [xmlsec] FW: Valid To has passed

Hi, Ed!

Thanks for trying the patch and sorry that it did not work for you. Could
you please try one more thing for me?
In the template, please remove <X509SubjectName> and <X509IssuerSerial>
nodes and keep only <X509Certificate> node. I.e. it should look like this:

	<dsig:KeyInfo>
		<dsig:KeyName>Shallow, Ed</dsig:KeyName>
		<dsig:X509Data>
			<dsig:X509Certificate></dsig:X509Certificate>
		</dsig:X509Data>
	</dsig:KeyInfo>

Then try to sign and later verify it using xmlsec command line utility with
the following command line option added:

--enabled-key-data "rsa,x509,raw-x509-cert"

Thanks!

Aleksey





More information about the xmlsec mailing list