First, awesome library and thank you for it. I'm no XML Security expert so I don't know if this is intended behavior or not.
When I sign an XML document and include a KeyInfo element, populated with my public key, it will pass verification when I do something like: xmlsec1 verify /tmp/signed.xml I expect that. However, it also passes verification when I do something like the following and pass it an incorrect public key: xmlsec1 verify --pubkey-pem /tmp/invalid-pubkey.pem /tmp/signed.xml Is this intended behavior? If I leave the KeyInfo element out of the signed document it works as I would expect and only passes verification if I pass it the correct public key. Owen Borseth Name.com LLC Software Engineer _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
