Hi, Context: currently we patch xmlsec in LibreOffice with <https://cgit.freedesktop.org/libreoffice/core/tree/external/libxmlsec/xmlsec1-noverify.patch.1>, and I'm trying to find out if it would be possible to avoid that patch. As far as I understand, using the XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag makes this possible when calling xmlSecDSigCtxVerify(), but I wanted to first see xmlSecDSigCtxVerify() failing without using that flag (when the above patch is not applied).
However, for some reason xmlSecDSigCtxVerify() doesn't fail with my test "self-signed" certificate (when the NSS DB doesn't contain the root/intermediate CA), even when I'm not using that flag. Reading xmlSecNssX509StoreVerify(), it seems that it calls NSS CERT_VerifyCertificate() with requiredUsages=0: https://github.com/lsh123/xmlsec/blob/master/src/nss/x509vfy.c#L217 And when that happens, CERT_VerifyCertificate() just iterates over the usages of the certificicate, and on each iteration it returns ("continues") early, as "i & requiredUsages" is false. The result is that later functions like cert_CheckLeafTrust() and cert_VerifyCertChain() are not called: https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/certhigh/certvfy.c#1220 Now the question: is this expected? I'm not sure if this is a bug in xmlsec or I generate my self-signed certificate in an incorrect way. FWIW, here is my script to generate 1) a root CA 2) an intermediate CA and 3) an actual certificate: https://cgit.freedesktop.org/libreoffice/core/tree/xmlsecurity/qa/create-certs/create-certs.sh Thanks, Miklos
signature.asc
Description: Digital signature
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
