Aleksey: I'm to the point of trying to use the xmlsec utility to verify a signed document produced by our test web server and signed with a private key whose public key is certified by a self-signed root cert (i.e., the CA isn't in the trusted list, it's just our self-signed cert for this purpose). I probably should provide xmlsec with a "--trusted <pemfile>" in order to validate that the cert is trusted for this purpose however stepping through the code in xmlSecX509StoreVerify() it looks like the loop beginning at line 1134 (071202 build) never calls X509_verify_cert() because there's only one cert, that cert is self-signed (and so passes the first call to xmlSecX509FindNextChainCert()) and then the loop terminates. So, even if I had that self-signed cert passed in as a trusted root, it look like the trusted-root comparison wouldn't ever occur and verification would still fail. I'm still a newbie in this code base so I apologize if I'm off-base here but I've worked with x509 stuff before and I believe I understand what I'm seeing. Meanwhile, I'm trying to get the x509 cert from the webmaster in a PEM format but wanted to run this by you since it looks like that root key isn't going to be of immediate help given how the code works at this point. Any comments/thoughts on how verifications against self-signed cert's should work would be appreciated. I'm attaching the file I'm passing to the xmlsec test program just in case you want to pop this into the debugger and take a look at verifying it. The file contains multiple signed sections of XML but xmlsec appears to try to validate the first one w/o my having to supply a --node* reference on the command line -- for now it doesn't matter which one it tries to validate -- I just need to see it validate one so I can justify proceeding down this path. Thanks!!!! Ferrell PS, let me know if I should submit this to the maillist but
===================================== Ferrell Moultrie ([EMAIL PROTECTED]) Software Engineer Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328 Phone: 404-236-2600 Direct: 404-236-2849 Fax: 404-236-2632 http://www.iss.net Internet Security Systems -- The Power to Protect =====================================
serverkey.xml
Description: Binary data
