[xmlsec] Loading publickeys from KeyInfo/X509Data

Benjamin Dauvergne bdauvergne at entrouvert.com
Wed Feb 10 09:36:05 PST 2010


Aleksey Sanin wrote:
> Right. There is a problem that the DONT_VERIFY_CERTS
> flag disables both certs verification and key extraction.
>
> The problem is that w/o verification you can't build certs
> chain and you don't know which certificate is the "top" one
> to use for key extraction.
But if there is only one certificate (99,9% of our cases ;) ) it's easy.
And what happens if you have two valid certificates but not related (not 
in child/parent relation) ? From which one do you take the key ?

Would special casing for lone certificates with warning in other cases 
be acceptable ?


More information about the xmlsec mailing list