Ok, thanks. What is recommended when using it to verify a document for authentication to a service where a private key is maintained for each user? Strip out the KeyInfo element and then verify?
Owen Borseth Name.com LLC Software Engineer On Thu, Sep 17, 2009 at 8:24 AM, Aleksey Sanin <[email protected]> wrote: > xmlsec first uses information from KeyInfo and only if it is not enough > it goes to read external information from files, etc. > > Aleksey > > Owen Borseth wrote: >> >> First, awesome library and thank you for it. I'm no XML Security >> expert so I don't know if this is intended behavior or not. >> >> When I sign an XML document and include a KeyInfo element, populated >> with my public key, it will pass verification when I do something >> like: >> >> xmlsec1 verify /tmp/signed.xml >> >> I expect that. However, it also passes verification when I do >> something like the following and pass it an incorrect public key: >> >> xmlsec1 verify --pubkey-pem /tmp/invalid-pubkey.pem /tmp/signed.xml >> >> Is this intended behavior? If I leave the KeyInfo element out of the >> signed document it works as I would expect and only passes >> verification if I pass it the correct public key. >> >> Owen Borseth >> >> Name.com LLC >> Software Engineer >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
