[xmlsec] Potential Verify Issue

Aleksey Sanin aleksey at aleksey.com
Thu Sep 17 07:53:10 PDT 2009


Just don't put the public key into the signature or configure
xmlsec to do not read KeyInfo (look for keyInfoReadCtx in
xmlSecDSigCtx, then enabledKeyData in xmlSecKeyInfoCtx; for
"how to", take a look at --enabled-key-data option for xmlsec1
command line utility).

Aleksey

Owen Borseth wrote:
> Ok, thanks. What is recommended when using it to verify a document for
> authentication to a service where a private key is maintained for each
> user? Strip out the KeyInfo element and then verify?
> 
> Owen Borseth
> 
> Name.com LLC
> Software Engineer
> 
> 
> 
> On Thu, Sep 17, 2009 at 8:24 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>> xmlsec first uses information from KeyInfo and only if it is not enough
>> it goes to read external information from files, etc.
>>
>> Aleksey
>>
>> Owen Borseth wrote:
>>> First, awesome library and thank you for it. I'm no XML Security
>>> expert so I don't know if this is intended behavior or not.
>>>
>>> When I sign an XML document and include a KeyInfo element, populated
>>> with my public key, it will pass verification when I do something
>>> like:
>>>
>>>    xmlsec1 verify /tmp/signed.xml
>>>
>>> I expect that. However, it also passes verification when I do
>>> something like the following and pass it an incorrect public key:
>>>
>>>    xmlsec1 verify --pubkey-pem /tmp/invalid-pubkey.pem /tmp/signed.xml
>>>
>>> Is this intended behavior? If I leave the KeyInfo element out of the
>>> signed document it works as I would expect and only passes
>>> verification if I pass it the correct public key.
>>>
>>> Owen Borseth
>>>
>>> Name.com LLC
>>> Software Engineer
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list