[xmlsec] Potential Verify Issue

Owen Borseth owen at name.com
Thu Sep 17 07:36:41 PDT 2009


Ok, thanks. What is recommended when using it to verify a document for
authentication to a service where a private key is maintained for each
user? Strip out the KeyInfo element and then verify?

Owen Borseth

Name.com LLC
Software Engineer



On Thu, Sep 17, 2009 at 8:24 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> xmlsec first uses information from KeyInfo and only if it is not enough
> it goes to read external information from files, etc.
>
> Aleksey
>
> Owen Borseth wrote:
>>
>> First, awesome library and thank you for it. I'm no XML Security
>> expert so I don't know if this is intended behavior or not.
>>
>> When I sign an XML document and include a KeyInfo element, populated
>> with my public key, it will pass verification when I do something
>> like:
>>
>>    xmlsec1 verify /tmp/signed.xml
>>
>> I expect that. However, it also passes verification when I do
>> something like the following and pass it an incorrect public key:
>>
>>    xmlsec1 verify --pubkey-pem /tmp/invalid-pubkey.pem /tmp/signed.xml
>>
>> Is this intended behavior? If I leave the KeyInfo element out of the
>> signed document it works as I would expect and only passes
>> verification if I pass it the correct public key.
>>
>> Owen Borseth
>>
>> Name.com LLC
>> Software Engineer
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>


More information about the xmlsec mailing list