[xmlsec] Signature Verification Problem Using X509 Certificates
Roumen Petrov
xmlsec at roumenpetrov.info
Thu Feb 21 15:20:26 PST 2008
Paul Keeler wrote:
> I've tried this on the command line already. If I add all of the
> certificates as untrusted (--untrusted pem), and obviously still use the
> trusted root (--trusted-pem), then xmlsec verifies the signature perfectly
> with no spurious errors.
>
> [SNIP]
This is a long e-mail thread and I lost the head.
I self signed root certificate shouldn't go in xml document:
chain: C1(root)->C2->C3->C4->C4
C1 in trusted local store (command line or default openssl)
C2->C3->C4->C4 in xml document
I think if document is without C1 error(warning) will disappear.
Paul, if C1 in not in local trusted store, but all five are in xml, did
xmlsec validate document ?
Aleksey did presence of self signed root certificate in document violate
standard ?
Roumen
More information about the xmlsec
mailing list