[xmlsec] KeyInfo node X509Data gets emptied when singing with xmlsec1

Aleksey Sanin aleksey at aleksey.com
Tue Mar 8 08:17:17 PST 2011


OK, I've seen this before. Someone reported a very similar problem
on Mac OS X. I recall the issue was related to different OpenSSL
version (compilation/linking vs execution).

Aleksey


On 3/7/11 11:43 PM, Markus Wernig wrote:
> Hi Aleksey
>
> I had tried that before. No joy, same result.
>
> As a by-note: The same template file that produces the error on Linux
> with xmlsec1 1.2.16 gets signed, X509Certificate populated and all, when
> signing it with xmlsec1 v. 1.2.11 on 32 bit OpenBSD. (The only odd thing
> being an extra newline that gets inserted before the node
> <X509Certificate>  :-)
>
> kind regards
> Markus
>
> On 03/07/2011 09:41 PM, Aleksey Sanin wrote:
>> Try
>>
>> <SignatureValue>
>> </SignatureValue>
>> <KeyInfo>
>>    <X509Data>
>>    </X509Data>
>> </KeyInfo>
>>
>>
>> Aleksey
>>
>>
>> On 3/7/11 3:49 AM, Markus Wernig wrote:
>>> Hi all
>>>
>>> I have a problem with xmlsec1 1.2.16 (openssl), compiled on 32 bit
>>> Gentoo Linux (from portage, i.e. source).
>>>
>>> When signing an XML document that contains a template section for the
>>> X509Data of the signing certificate, the node gets cleared and an empty
>>> newline is inserted instead for every subnode. The signature process
>>> overall succeeds without any messages.
>>>
>>> I am using this command:
>>> xmlsec1 --sign --pkcs12 certs/xmlsig-test.p12 --pwd testme --output
>>> tmpl-signed.xml tmpl-sign.xml.
>>> I have verified that the PKCS12 file contains both certificate and
>>> private key.
>>>
>>> I have also tried any combination of --X509-skip-strict-checks,
>>> --privkey-[pem|der], --pubkey-[pem|der], after extracting the cert and
>>> key from the .p12. The result remains the same: valid signature, but
>>> X509Data does not get populated (regardless of whether the signing CA
>>> certificate is present or not)
>>>
>>> This is the section in question:
>>>
>>> Template:
>>> [...]
>>> <SignatureValue>
>>> </SignatureValue>
>>> <KeyInfo>
>>>     <X509Data>
>>>       <X509Certificate>
>>>       </X509Certificate>
>>>     </X509Data>
>>> </KeyInfo>
>>> [...]
>>>
>>> Result:
>>> [...]
>>> <SignatureValue>FRBI01gzAf................</SignatureValue>
>>> <KeyInfo>
>>>     <X509Data>
>>>
>>>     </X509Data>
>>> </KeyInfo>
>>> [...]
>>>
>>> I would be very grateful for any help, as I am still very new to xmlsec.
>>>
>>> Thanks and kind regards
>>>
>>> Markus
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list