OK, I see it too. I believe the problem is in the PKCS12_parse() function in the newer versions of openssl. The documentation states (http://www.openssl.org/docs/crypto/PKCS12_parse.html, highlighting is mine):
If successful the private key will be written to *pkey, the corresponding certificate to *cert and *any additional* certificates to *ca. In reality, the function returns in the "ca" *all* the certificates including the one it is already returned in "cert". I believe the older version of openssl didn't return the "cert" in "ca" and xmlsec manually adds it to the chain. Let me see if I can workaround this and provide fall back for the older openssl versions. Aleksey On 3/18/2010 12:00 PM, Beard, Simon wrote:
Hello. I’m using the simple template below and signing with a .p12 cert. The resulting signed template contains 2 copies of the certificate. The signed template verifies OK. Can someone please tell me why 2 copies of the cert? Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml The unsigned template: <References> <WidgetDigest> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue> </WidgetDigest> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm= "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue /> <KeyInfo> <X509Data > <X509Certificate/> </X509Data> <KeyValue /> </KeyInfo> </Signature> </References> The signed template (signatures shortened) : <?xml version="1.0"?> <References> <WidgetDigest> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue> </WidgetDigest> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>3f5hn9NUkmRENNQb8SyrI5BsRsc=</DigestValue> </Reference> </SignedInfo> <SignatureValue>mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54OgEUq m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU=</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate> </X509Data> <KeyValue> <RSAKeyValue> <Modulus> wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk= </Modulus> <Exponent> AQAB </Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> </References> Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/ Regards _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
