(as the result of PKCS12_parse). So I decided to put it in the chain anyway.
Not sure I understand what you mean by "this behaiviour". The key's cert will be inThe questions: 1) Can I rely on this behavior in future releases?
the chain of other certs.
2) If so, can I rely on the relevant certificate being the last one in the chain? (I'm not sure how the rest of the certificates in the chain are ordered, if at all. Maybe the comment is really asking whether the certificate should be at the other end of the stack.)
No, you can't. Position in the chain is not the best API you can imagine :)
3) If the answer to 1 or 2 is "no," is there a safe way to obtain theThe right solution requires a small patch in xmlsec: just remember the key cert in the "verified" member
certificate corresponding to the private key?
of xmlSecX509KeyData structure. It is used for storing key's (verified) cert when we load certificates
from XML document. The variable name became slightly incorrect but I can live with it :)
You can find patch bellow. It's checked in XMLSEC_0_0_X_BRANCH as well.
Aleksey
Index: src/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/Attic/x509.c,v
retrieving revision 1.14.2.3
diff -u -r1.14.2.3 x509.c
--- src/x509.c 5 Feb 2003 17:52:33 -0000 1.14.2.3
+++ src/x509.c 14 Feb 2003 20:48:06 -0000
@@ -135,9 +135,7 @@
} PKCS12_free(p12);
- /* todo: should we put the key cert into stack */
sk_X509_push(chain, cert);
-
key = xmlSecParseEvpKey(pKey);
if(key == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -158,6 +156,7 @@
return(NULL);
}
key->x509Data->certs = chain;
+ key->x509Data->verified = cert;
return(key);
}
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
