What do you mean the document is no longer valid ? If it verifies the References covered by the signature are valid. If the DN in the certificate refers to the same certifiacte as the friendly name in the KeyName, the KeyName is redundant. This is what I am doing. I am removing the Keyname for the verify and then putting it back in for consistency.
Alternatively you can tell xmlsec which key sources to consult using the enabledKeyData list. I find this a pain and prefer to check the keys in each location myself. If you have created the signature yourself and are subsequently verifying it, you know they are the same. They should rarely differ. In fact I cannot think of an instance where the contents of X509Certificate should get overridden by KeyName in a Verify. Even when including issuer certificates, they end up as more than one X509Certificate. I buy that if X509Certifiate is not there one can consult KeyName, but rarely if ever the reverse. But that is just my opinion. I would like to see an order to the certificate search. Ed -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jürgen Heiss Sent: June 1, 2006 2:40 AM To: Aleksey Sanin; [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: RE: [xmlsec] RE: Need urgent help for verify Hi everybody, Well you are right, its really the Keyname. So if I remove the Keyname it works. But of course the document isn't anymore valid. Is there a way always to ignore the keyname and use the the certificate by verify a signed document? What is the xmlSecDSigCtx::keyInfoReadCtx->enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx->enabledKeyData For? How must I use them? Thanks I advance. Jürgen -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: Mittwoch, 31. Mai 2006 22:20 To: [EMAIL PROTECTED]; xmlsec@aleksey.com Subject: Re: [xmlsec] RE: Need urgent help for verify Yes xmlSecDSigCtx::keyInfoReadCtx->enabledKeyData xmlSecDSigCtx::keyInfoWriteCtx->enabledKeyData Aleksey [EMAIL PROTECTED] wrote: > Yes you are right !!! I forgot about that. > > You mean the "--enabled-key-data" list in the command line utility ? > Where is this in the API ? in the Ctx ? > > ----- Original Message ---- > From: Aleksey Sanin <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: Jürgen Heiss <[EMAIL PROTECTED]>; xmlsec@aleksey.com > Sent: Wednesday, May 31, 2006 2:31:14 PM > Subject: Re: [xmlsec] RE: Need urgent help for verify > > > Does it not make sense to check X509Certificate first ? Or must we > > consciously remove KeyName to avoid problems in the mscrypto world > where > the chances of actually having the public verification > certificate in > the verifiers mscrypto store is remote at best ? > > > I think, that either signer or verifier should decide if KeyName makes > sense for him/her or not. In xmlsec, there is a way to disable KeyName > usage for verification, for example. > > Aleksey _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
