Aleksey, I was able to produce exactly what you produced with the selection below of --enabled-key-data. The message is identical. What you are seeing has nothing to do with cert chain verification. It is likely related to your inability to get the "Test User 1" certificate from the crypto store given the new --enabled-key-data constraint.
You still have an mscrypto problem. Ed C:\XMLSec>xmlsec verify --crypto mscrypto --trusted-der keys/upu-cacert.der --enabled-key-data retrieval-method,x509,raw-x509-cert inout/edsigned-enveloped.xml func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=0 (0x00000000) ;last error msg=The operation completed successfully. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=0 (0x00000000);last error ms g=The operation completed successfully. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ; last error=0 (0x00000000);last error msg=The operation completed successfully. func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=0 (0x00000000);last error msg=The operation completed successfully. Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "inout/edsigned-enveloped.xml" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: January 13, 2006 12:14 AM To: [EMAIL PROTECTED] Cc: xmlsec@aleksey.com Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto According to the spec, xmldsig application should search key using *all* the information available in the <dsig:KeyInfo/> element. Specification *does not* say that X509 certificate is better than key name and it does not require one to search in some particular order. However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/> sub-elements. For example, look for --enabled-key-data option for the xmlsec command line application. I am not sure I understand all the steps you did for adding/removing certificate to MS stores thus I can not comment on the validity of your tests or point my finger at what you did wrong. What I do know that on my computer, I do see the following results: > xmlsec verify --crypto mscrypto --trusted-der d:\upu-cacert.der d:/edsigned-enveloped.xml ... OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 > xmlsec verify --crypto mscrypto d:/edsigned-enveloped.xml ... Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "d:/edsigned-enveloped.xml" which is *exactly* what I expect to see and what I believe you expect to set too. And as I usually say, I *DO* accept patches :) Aleksey _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec