Specifics of the problem as you requested ...

- running patched xmlsec 1.2.10 on Windows (see re-post from me above)
- using command line utility with options as follows:

xmlsec sign --crypto mscrypto --output inout/edsigned-enveloped-Entrust.xml
tmpl/tmpl-EPM-sign-enveloped-Entrust.xml

xmlsec verify --crypto mscrypto inout/edsigned-enveloped-Entrust.xml

- the Entrust key-pair and certificate are loaded into the Microsoft Crypto
Store and XMLSec is retrieving them based on the template

- the resultant signature (also attached) verifies sucessfully even though
the certificate expired on August 31, 2007

  I have not attempted to re-create this outside of --mscrypto yet

  Any ideas ?

Ed  


-----Original Message-----
From: Ed Shallow [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 01, 2007 9:58 AM
To: '[email protected]'
Subject: Valid To has passed

Ho Aleksey,
 
   I just noticed that I am still able to sign --mscrypto with an expired
certificate. Additionally it verifies successfully as well. Is this normal?
 
   In the template can I force creation of the ValidFrom and ValidTo nodes?
 
Thanks,
Ed
<?xml version="1.0" encoding="UTF-8"?>
<!--
Signature created by EPMSigner V1.12 - Sign Template - enveloped-simple - Ed Shallow June 27, 2003
-->
<Document>
	<Data>
		<SubData1>
			<SubSubData1 MimeType="text/plain">This is the data to be signed.</SubSubData1>
			<SubSubData2 MimeType="text/plain">This is the data to be signed.</SubSubData2>
			<SubSubData3 MimeType="text/plain">This is the data to be signed.</SubSubData3>
		</SubData1>
		<SubData2>This is the data to be signed.</SubData2>
		<SubData3>This is the data to be signed.</SubData3>
	</Data>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
		<dsig:SignedInfo>
			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
			<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<dsig:Reference URI="">
					<dsig:Transforms>
						<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					</dsig:Transforms>
					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<dsig:DigestValue></dsig:DigestValue>
				</dsig:Reference>
		</dsig:SignedInfo>
		<dsig:SignatureValue>
		</dsig:SignatureValue>
		<dsig:KeyInfo>
			<dsig:KeyName>Shallow, Ed</dsig:KeyName>
			<dsig:X509Data>
				<dsig:X509Certificate></dsig:X509Certificate>
				<dsig:X509SubjectName></dsig:X509SubjectName>
				<dsig:X509IssuerSerial></dsig:X509IssuerSerial>
			</dsig:X509Data>
		</dsig:KeyInfo>
	</dsig:Signature>
</Document>
<?xml version="1.0" encoding="UTF-8"?>
<!--
Signature created by EPMSigner V1.12 - Sign Template - enveloped-simple - Ed Shallow June 27, 2003
-->
<Document>
	<Data>
		<SubData1>
			<SubSubData1 MimeType="text/plain">This is the data to be signed.</SubSubData1>
			<SubSubData2 MimeType="text/plain">This is the data to be signed.</SubSubData2>
			<SubSubData3 MimeType="text/plain">This is the data to be signed.</SubSubData3>
		</SubData1>
		<SubData2>This is the data to be signed.</SubData2>
		<SubData3>This is the data to be signed.</SubData3>
	</Data>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
		<dsig:SignedInfo>
			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
			<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<dsig:Reference URI="">
					<dsig:Transforms>
						<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					</dsig:Transforms>
					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<dsig:DigestValue>r7EhnxYz0j4pYDmYS3TvPqXex/U=</dsig:DigestValue>
				</dsig:Reference>
		</dsig:SignedInfo>
		<dsig:SignatureValue>ZhSUgqM6cQjPbd+EoccpE7GSIL6vCjGXzev+4bg9S359YrBIItMO2/RgzNPkn66D
CV3vAjm0hHIynna0dDyEOUqA3ksAN1KYODzhh+CtTfdb6erHpG84faQY3AzkGrxU
M+3/CarW5tKd025/OKoVW1TY/klM+lCXNrc4SlwI48M=</dsig:SignatureValue>
		<dsig:KeyInfo>
			<dsig:KeyName>Shallow, Ed</dsig:KeyName>
			<dsig:X509Data>
				
				
				
			<X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#";>MIIDBDCCAm2gAwIBAgIEReI9QzANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJD
QTELMAkGA1UEChMCR0MxFDASBgNVBAsTC1BXR1NDLVRQU0dDMRAwDgYDVQQLEwcx
Q0EtQUMxMB4XDTA3MDMwOTE1MDkzMFoXDTA3MDgzMTA0MDAwMFowRjELMAkGA1UE
BhMCQ0ExCzAJBgNVBAoTAkdDMRQwEgYDVQQLEwtQV0dTQy1UUFNHQzEUMBIGA1UE
AxMLU2hhbGxvdywgRWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALENf7Cm
nbv75/e/M+OM0LegZpLG5U1iDJ5qnLQyem3yYFkExW7i8MSg0V0i0YiDfzSNbvMx
d4wUfOkTLOHRBJyz+KLR1LGMW8dnBYbv1h5hyEyg8NC7Wibl6Oa08toYTfvaudaR
7AxqoOKSdVgtqx6A4NuM+Xj1ONC8KLNJnY8lAgMBAAGjggEBMIH+MAsGA1UdDwQE
AwIFIDAhBgNVHREEGjAYgRZlZC5zaGFsbG93QHB3Z3NjLmdjLmNhMGYGA1UdHwRf
MF0wW6BZoFekVTBTMQswCQYDVQQGEwJDQTELMAkGA1UEChMCR0MxFDASBgNVBAsT
C1BXR1NDLVRQU0dDMRAwDgYDVQQLEwcxQ0EtQUMxMQ8wDQYDVQQDEwZDUkw0Njkw
HwYDVR0jBBgwFoAU8vbS1yLEVgR5bpDH/nW9bn904QwwHQYDVR0OBBYEFMpgutWF
p3AZOVthD36dAF4bz/nXMAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjYu
MAMCBDAwDQYJKoZIhvcNAQEFBQADgYEAdaT52r1qSpT1xaq4wcBPhkaYsvi8RFRM
sle2VIQZvtMsMitEz3Xa6u0ecrJj0xEb7gQ+5u3hibPBMrMrIy6l2diBJF1+QaHi
JlWDFqcLkXqQrMWjsuT26v1NdrEDHWHvN9qnGO5q7791rrTn1SzY6/USoA44S3Gm
a7eCGEViu/k=</X509Certificate>
<X509SubjectName xmlns="http://www.w3.org/2000/09/xmldsig#";>CN="Shallow, Ed", OU=PWGSC-TPSGC, O=GC, C=CA</X509SubjectName>
<X509IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#";>
<X509IssuerName>OU=1CA-AC1, OU=PWGSC-TPSGC, O=GC, C=CA</X509IssuerName>
<X509SerialNumber>1172454723</X509SerialNumber>
</X509IssuerSerial>
</dsig:X509Data>
		</dsig:KeyInfo>
	</dsig:Signature>
</Document>
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to