[xmlsec] X509Certificate ordering

Aleksey Sanin aleksey at aleksey.com
Fri Jun 17 07:18:08 PDT 2011


Te order of certificates is irrelevant for xml signature standard and xmlsec
does nothing about it.

Aleksey


On 6/17/11 7:02 AM, Kai Hendry wrote:
> Hi there,
>
> Thanks for xmlsec, it basically implements
> http://dev.w3.org/2006/waf/widgets-digsig/ :)
>
> I'm signing with
> http://tests.wacapps.net/?p=wac2tests;a=blob;f=tools/keys/unchained/w3c.rsa.p12
> which has the pub keys:
>
>          Subject: "CN=3.rsa,OU=Webapps,O=W3C,ST=England,C=UK"
>          Subject: "CN=2.rsa,OU=Webapps,O=W3C,ST=England,C=UK"
>          Subject: "OU=Webapps,O=W3C,ST=England,C=UK,CN=root"
>
> The problem is with the generated signatures the X509Certificate's
> appear in different orderings. Once I figure out the orderings, I then
> write an xmlstarlet kludge to put them in the ordering I need them:
> http://tests.wacapps.net/?p=wac2tests;a=blob;f=tools/sign-widget.sh;h=a57119c5806723b3085bc881bfbb492004382ac4;hb=HEAD#l129
> Which is, 2, 3, root, that is Signer pubkey, then intermediate, then
> (optionally) root.
>
> The problem is that on different machines xmlsec seems to embed them
> in different orders. On my Arch 1.2.16, it's 2,3,root. On my 1.2.14
> Debian it's 2,root,3 and when I downgraded to 1.2.14 on Arch, it
> became root,2,3... wtf?
>
>
> You can see the ordering for yourself on a using http://v.wacapps.net/
> and 1.2.14 Debian signed
> http://tests.wacapps.net/2.0/core/securityprivacy/SP-2100.wgt which
> has an exception not to apply the kludge above.
>
> I hope you can help me understand!
>
> Kind regards,
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list