Here are the results of my last test ... I performed what you suggested. This is what I received on the verify ...
C:\XMLSec>xmlsec verify --crypto mscrypto --enabled-key-data "rsa,x509,raw-x509-cert" --verification-time "2007-09-06 09:00:00" inout/edsigned-enveloped-Entrust .xml func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlS ecKeysMngrFindKey:error=1:xmlsec library function failed: ;last error=0 (0x00000000) ;last error msg=The operation completed successfully. func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unkn own:subj=unknown:error=45:key is not found: ;last error=0 (0x00000000);last error ms g=The operation completed successfully. func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=un known:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ; last error=0 (0x00000000);last error msg=The operation completed successfully. func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xml SecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last error=0 (0x00000000);last error msg=The operation completed successfully. Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "inout/edsigned-enveloped-Entrust.xml" If I set the --verification-time before expiry say on 2007-08-30 09:00:00" it still fails. Strange ??? I would prefer that the sign fail if the key is expired. This is how the other CAPI desktop products work. Ed P.S. I re-built on Rev 984 from the SVN trunk. -----Original Message----- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 05, 2007 10:44 AM To: Ed Shallow Cc: [email protected]; 'Wouter' Subject: Re: [xmlsec] FW: Valid To has passed Hi, Ed! Thanks for trying the patch and sorry that it did not work for you. Could you please try one more thing for me? In the template, please remove <X509SubjectName> and <X509IssuerSerial> nodes and keep only <X509Certificate> node. I.e. it should look like this: <dsig:KeyInfo> <dsig:KeyName>Shallow, Ed</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate></dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> Then try to sign and later verify it using xmlsec command line utility with the following command line option added: --enabled-key-data "rsa,x509,raw-x509-cert" Thanks! Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
