Te order of certificates is irrelevant for xml signature standard and xmlsec does nothing about it.
Aleksey On 6/17/11 7:02 AM, Kai Hendry wrote:
Hi there, Thanks for xmlsec, it basically implements http://dev.w3.org/2006/waf/widgets-digsig/ :) I'm signing with http://tests.wacapps.net/?p=wac2tests;a=blob;f=tools/keys/unchained/w3c.rsa.p12 which has the pub keys: Subject: "CN=3.rsa,OU=Webapps,O=W3C,ST=England,C=UK" Subject: "CN=2.rsa,OU=Webapps,O=W3C,ST=England,C=UK" Subject: "OU=Webapps,O=W3C,ST=England,C=UK,CN=root" The problem is with the generated signatures the X509Certificate's appear in different orderings. Once I figure out the orderings, I then write an xmlstarlet kludge to put them in the ordering I need them: http://tests.wacapps.net/?p=wac2tests;a=blob;f=tools/sign-widget.sh;h=a57119c5806723b3085bc881bfbb492004382ac4;hb=HEAD#l129 Which is, 2, 3, root, that is Signer pubkey, then intermediate, then (optionally) root. The problem is that on different machines xmlsec seems to embed them in different orders. On my Arch 1.2.16, it's 2,3,root. On my 1.2.14 Debian it's 2,root,3 and when I downgraded to 1.2.14 on Arch, it became root,2,3... wtf? You can see the ordering for yourself on a using http://v.wacapps.net/ and 1.2.14 Debian signed http://tests.wacapps.net/2.0/core/securityprivacy/SP-2100.wgt which has an exception not to apply the kludge above. I hope you can help me understand! Kind regards, _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
