Aleksey Sanin wrote:
I think you make a little misunderstanding on the cert chain building. It don't try to find self-signed cert from untrusted store, it is try to find non-self-signed from the untrusted store, i.e., try to find the mid-ca-cert from untrusted store. Firstly, it will try to find a cert ( self-signed or no ) from key store ( which will enable that when a cert's used to signature, it can be found from key store; the trusted cert should first be find in a small size store instead of searching a much large store. ) ; then, if is found, and it's not a self-signed cert, we will continue search it at untrusted store; finally, the last cert must can be find in the trusted store, otherwise, we'll deny to trust the chain. I think the process is correct.6) src/mscrypto/certkeys.c, xmlSecMSCryptoX509StoreConstructCertsChain() function: The new code tries to construct a certs chain for a self-signed cert even if it is not found in the trusted store. I believe, this is incorrect. If we can not find self-signed cert in the trusted certs store, then we just need to return FALSE (can't construct trusted certs chain). I modified the code to do exactly that and it passes all my tests. Hope it will work for you too.
Why I provide the patch? Firstly, I want to find the user personal certificate with private key pair during signning. If I only search self-signed certificate in trusted store, it will be fail in the cases that no complete cert chains are placed in the store, it's a common way that the user only have one personal cert with private key pair. How to validate the signature is the responsibility of the receipter( third user should get root cert from his key store ), and certainly, the signer must be able validate the signature( myself should only get my private key and personal certificate, definitely, I trust myself cert ). Secondly, for performance, in business large scale PKI, it is a time consumer to search a cert from cert store, here I'll find try to find some locally( from key store ). Thirdly, definitely, I must trust the cert found from key store, whether or not it is a root cert or a personal cert.
I'm not 100% sure, I think your code will be failed to find private key from a signature template during signning.
Thanks, Andrew _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
