Hi there, Thanks for xmlsec, it basically implements http://dev.w3.org/2006/waf/widgets-digsig/ :)
I'm signing with http://tests.wacapps.net/?p=wac2tests;a=blob;f=tools/keys/unchained/w3c.rsa.p12 which has the pub keys: Subject: "CN=3.rsa,OU=Webapps,O=W3C,ST=England,C=UK" Subject: "CN=2.rsa,OU=Webapps,O=W3C,ST=England,C=UK" Subject: "OU=Webapps,O=W3C,ST=England,C=UK,CN=root" The problem is with the generated signatures the X509Certificate's appear in different orderings. Once I figure out the orderings, I then write an xmlstarlet kludge to put them in the ordering I need them: http://tests.wacapps.net/?p=wac2tests;a=blob;f=tools/sign-widget.sh;h=a57119c5806723b3085bc881bfbb492004382ac4;hb=HEAD#l129 Which is, 2, 3, root, that is Signer pubkey, then intermediate, then (optionally) root. The problem is that on different machines xmlsec seems to embed them in different orders. On my Arch 1.2.16, it's 2,3,root. On my 1.2.14 Debian it's 2,root,3 and when I downgraded to 1.2.14 on Arch, it became root,2,3... wtf? You can see the ordering for yourself on a using http://v.wacapps.net/ and 1.2.14 Debian signed http://tests.wacapps.net/2.0/core/securityprivacy/SP-2100.wgt which has an exception not to apply the kludge above. I hope you can help me understand! Kind regards, _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
