[xmlsec] Duplicate X509 certificates in signed template
Aleksey Sanin
aleksey at aleksey.com
Fri Mar 19 08:34:06 PDT 2010
http://live.gnome.org/Git
http://git.gnome.org/browse/xmlsec
Aleksey
On 3/19/2010 5:41 AM, Beard, Simon wrote:
> Aleksey,
>
> Using OpenSSL 0.9.7c 30 Sep 2003.
> Should I be using another?
>
> What do you mean by git?
>
> Regards
> Simon
>
> -----Original Message-----
> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Sent: Thursday, March 18, 2010 11:47 PM
> To: Beard, Simon; xmlsec at aleksey.com
> Subject: Re: [xmlsec] Duplicate X509 certificates in signed template
>
>
> Fix in git. Could you please try it? BTW, which version of openssl
> do you use?
>
> Aleksey
>
>
> On 3/18/2010 4:43 PM, Beard, Simon wrote:
>> Thank you very much.
>> I appreciate your efforts.
>>
>> Simon
>>
>> -----Original Message-----
>> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
>> Sent: Thursday, March 18, 2010 7:41 PM
>> To: Beard, Simon
>> Cc: xmlsec at aleksey.com
>> Subject: Re: [xmlsec] Duplicate X509 certificates in signed template
>>
>> OK, I see it too. I believe the problem is in the PKCS12_parse()
>> function in the newer versions of openssl. The documentation
>> states (http://www.openssl.org/docs/crypto/PKCS12_parse.html,
>> highlighting is mine):
>>
>> If successful the private key will be written to *pkey, the
>> corresponding certificate to *cert and *any additional* certificates
>> to *ca.
>>
>> In reality, the function returns in the "ca" *all* the certificates
>> including the one it is already returned in "cert". I believe the older
>> version of openssl didn't return the "cert" in "ca" and xmlsec
>> manually adds it to the chain.
>>
>> Let me see if I can workaround this and provide fall back for the
>> older openssl versions.
>>
>> Aleksey
>>
>>
>> On 3/18/2010 12:00 PM, Beard, Simon wrote:
>>> Hello.
>>>
>>> I'm using the simple template below and signing with a .p12 cert. The
>>> resulting signed template contains 2 copies of the certificate. The
>>> signed template verifies OK. Can someone please tell me why 2 copies of
>>> the cert?
>>>
>>> Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12
>>> webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml
>>>
>>> The unsigned template:
>>>
>>> <References>
>>>
>>> <WidgetDigest>
>>>
>>>
>>
> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
>> mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
>>>
>>> </WidgetDigest>
>>>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>
>>> <SignedInfo>
>>>
>>> <CanonicalizationMethod Algorithm=
>>>
>>> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>>
>>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>
>>> <Reference URI="">
>>>
>>> <Transforms>
>>>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>>
>>> </Transforms>
>>>
>>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>>
>>> <DigestValue></DigestValue>
>>>
>>> </Reference>
>>>
>>> </SignedInfo>
>>>
>>> <SignatureValue />
>>>
>>> <KeyInfo>
>>>
>>> <X509Data>
>>>
>>> <X509Certificate/>
>>>
>>> </X509Data>
>>>
>>> <KeyValue />
>>>
>>> </KeyInfo>
>>>
>>> </Signature>
>>>
>>> </References>
>>>
>>> The signed template (signatures shortened) :
>>>
>>> <?xml version="1.0"?>
>>>
>>> <References>
>>>
>>> <WidgetDigest>
>>>
>>>
>>
> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
>> mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
>>>
>>> </WidgetDigest>
>>>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>
>>> <SignedInfo>
>>>
>>> <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>>
>>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>
>>> <Reference URI="">
>>>
>>> <Transforms>
>>>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>
>>> </Transforms>
>>>
>>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>
>>> <DigestValue>3f5hn9NUkmRENNQb8SyrI5BsRsc=</DigestValue>
>>>
>>> </Reference>
>>>
>>> </SignedInfo>
>>>
>>>
>>
> <SignatureValue>mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O
>> gEUq
>>>
>>> m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI
>>>
>>> wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU=</SignatureValue>
>>>
>>> <KeyInfo>
>>>
>>> <X509Data>
>>>
>>> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
>>>
>>> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
>>>
>>> </X509Data>
>>>
>>> <KeyValue>
>>>
>>> <RSAKeyValue>
>>>
>>> <Modulus>
>>>
>>> wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ
>>>
>>> tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu
>>>
>>> qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk=
>>>
>>> </Modulus>
>>>
>>> <Exponent>
>>>
>>> AQAB
>>>
>>> </Exponent>
>>>
>>> </RSAKeyValue>
>>>
>>> </KeyValue>
>>>
>>> </KeyInfo>
>>>
>>> </Signature>
>>>
>>> </References>
>>>
>>> Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/
>>>
>>> Regards
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list