I would like to see in future version support for <X509SubjectName/> and <X509IssuerSerial/> in <X509Data/> tag.
To do this I have a limited(only for OpenSSL) patch - see attached file x509-sn_or_is.patch.gz
Most important change are new methods:
+static xmlChar* xmlSecOpenSSLX509NameWrite (X509_NAME* nm);
+static xmlChar* xmlSecOpenSSLX509CertSubjectNameWrite (X509* cert);
+static xmlChar* xmlSecOpenSSLX509CertIssuerNameWrite (X509* cert);
+static xmlChar* xmlSecOpenSSLASN1IntegerWrite (ASN1_INTEGER *_asni);
+static xmlChar* xmlSecOpenSSLX509CertSerialNumberWrite (X509* cert);
Open issue is:
- which format (<X509Certificate/>, <X509SubjectName/> or <X509IssuerSerial/>) to use method xmlSecOpenSSLKeyDataX509XmlWrite(...).
Current patch contain a static variable x509data_type which determine format. May be a new flag/options in context is solution, but we should take note for binary compatibility with previous versions and I don't have idea how to implement this.
In additional to changes in openssl/x509.c, patch contain changes in script ./tests/testDSig.sh. When xmlsec application support <X509SubjectName/> or <X509IssuerSerial/> we should specify additional certificates to verify signature of merlin-xmldsig-twenty-three tests: signature-x509-sn and signature-x509-is.
Second attached file "x509.c-ignore_white_space.diff.gz" is only for information, because part of changes in method xmlSecOpenSSLKeyDataX509XmlWrite(...) is to add a <TAB> symbol before some lines and x509.c diff from "x509-sn_or_is.patch.gz" looks ugly.
Best regards Roumen Petrov
x509-sn_or_is.patch.gz
Description: application/gzip
Description: application/gzip
