Your messages are very short ? There is no mistake with the adding/removing of certs in the MS Store as there is only one cert in play here, the public "Test User 1".
And the .der you are loading from the command line utility. You must have converted "Test User 1" to a .cer and loaded into one of the MS cert stores. Yes ? 'MY' or 'AddressBook' ? You did not use the --enabled-key-data in your example below ? Why did you mention it ? Just tell me what you did. And the .der you are loading from the command line utility I rather suspect your binairies are simply newer than Igor's 1.2.8 or you are picking up Dmitry's patch and that has fixed it. Please be more specific in your explanation. Ed -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: [email protected] Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the <dsig:KeyInfo/> element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/> sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: > xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 > xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "d:/edsigned-enveloped.xml" which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
