Fix in git. Could you please try it? BTW, which version of openssl
do you use?
Aleksey
On 3/18/2010 4:43 PM, Beard, Simon wrote:
Thank you very much.
I appreciate your efforts.
Simon
-----Original Message-----
From: Aleksey Sanin [mailto:[email protected]]
Sent: Thursday, March 18, 2010 7:41 PM
To: Beard, Simon
Cc: [email protected]
Subject: Re: [xmlsec] Duplicate X509 certificates in signed template
OK, I see it too. I believe the problem is in the PKCS12_parse()
function in the newer versions of openssl. The documentation
states (http://www.openssl.org/docs/crypto/PKCS12_parse.html,
highlighting is mine):
If successful the private key will be written to *pkey, the
corresponding certificate to *cert and *any additional* certificates
to *ca.
In reality, the function returns in the "ca" *all* the certificates
including the one it is already returned in "cert". I believe the older
version of openssl didn't return the "cert" in "ca" and xmlsec
manually adds it to the chain.
Let me see if I can workaround this and provide fall back for the
older openssl versions.
Aleksey
On 3/18/2010 12:00 PM, Beard, Simon wrote:
Hello.
I'm using the simple template below and signing with a .p12 cert. The
resulting signed template contains 2 copies of the certificate. The
signed template verifies OK. Can someone please tell me why 2 copies of
the cert?
Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12
webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml
The unsigned template:
<References>
<WidgetDigest>
<WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
</WidgetDigest>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data>
<X509Certificate/>
</X509Data>
<KeyValue />
</KeyInfo>
</Signature>
</References>
The signed template (signatures shortened) :
<?xml version="1.0"?>
<References>
<WidgetDigest>
<WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
</WidgetDigest>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>3f5hn9NUkmRENNQb8SyrI5BsRsc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O
gEUq
m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI
wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
<X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>
wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ
tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu
qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</References>
Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/
Regards
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
