Thanks for the patch! I applied and commited the xmlsec utility part
with a small fix (you forgot to free DTD at the end :) ).
The changes in x509.c are not required. The self signed "trusted"
certificate should work. For example, I used the following commands
to create and verify a signature with a self signed cert (see attached file):
> xmlsec sign --privkey:test-key ca.key,ca.crt --output test.xml test.tmpl
> xmlsec verify --trusted ca.crt --verification-time "2002-04-01 00:00:01" test.xml
= Status:
== Signatures ok: 1
== Signatures fail: 0
== SignedInfo Ref ok: 1
== SignedInfo Ref fail: 0
== Manifest Ref ok: 0 == Manifest Ref fail: 0
OK
> openssl x509 -in ca.crt -text
....
Issuer: C=US, ST=California, L=Sunnyvale, O=http://www.aleksey.com/xmlsec,
CN=Aleksey [EMAIL PROTECTED]
.....
Subject: C=US, ST=California, L=Sunnyvale, O=http://www.aleksey.com/xmlsec,
CN=Aleksey [EMAIL PROTECTED]
...
I have to specify verification time because I am using the cert from my "expired
certs" tests :) but besides that everything else looks just fine to me.
And according to the OpenSSL 0.9.7 code (crypto/x509/x509_vfy.c, around
line #200) it should work perfectly too. If you are using OpenSSL 0.9.6 then
you might consider upgrading to 0.9.7. It'll save you a lot of time :)
Thanks again,
Aleksey
Rich Salz wrote:
I want to be use the xmlsec application to verify SOAP messages signed using WS-Security. SOAP does not allow DTD's. The attached patch adds a "--dtdfile FILENAME" option to xmlsec, so you can write a DTD that identifies ID attributes. It includes documentation update (it seems xmlsec.xml is the place to update; I hope I did it right).
Perhaps more controversial, the patch always allows self-signed certificates. That part should, perhaps, be changed to allow self-signed certs if they were specified with the "--trusted" flag, but I haven't been able to figure out how to do that.
/r$
test.tgz
Description: GNU Zip compressed data
