[xmlsec] Duplicate X509 certificates in signed template

Aleksey Sanin aleksey at aleksey.com
Thu Mar 18 20:47:20 PDT 2010


Fix in git. Could you please try it? BTW, which version of openssl
do you use?

Aleksey


On 3/18/2010 4:43 PM, Beard, Simon wrote:
> Thank you very much.
> I appreciate your efforts.
>
> Simon
>
> -----Original Message-----
> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Sent: Thursday, March 18, 2010 7:41 PM
> To: Beard, Simon
> Cc: xmlsec at aleksey.com
> Subject: Re: [xmlsec] Duplicate X509 certificates in signed template
>
> OK, I see it too. I believe the problem is in the PKCS12_parse()
> function in the newer versions of openssl. The documentation
> states (http://www.openssl.org/docs/crypto/PKCS12_parse.html,
> highlighting is mine):
>
>     If successful the private key will be written to *pkey, the
>     corresponding certificate to *cert and *any additional* certificates
>     to *ca.
>
> In reality, the function returns in the "ca" *all* the certificates
> including the one it is already returned in "cert". I believe the older
> version of openssl didn't return the "cert" in "ca" and xmlsec
> manually adds it to the chain.
>
> Let me see if I can workaround this and provide fall back for the
> older openssl versions.
>
> Aleksey
>
>
> On 3/18/2010 12:00 PM, Beard, Simon wrote:
>> Hello.
>>
>> I'm using the simple template below and signing with a .p12 cert. The
>> resulting signed template contains 2 copies of the certificate. The
>> signed template verifies OK. Can someone please tell me why 2 copies of
>> the cert?
>>
>> Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12
>> webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml
>>
>> The unsigned template:
>>
>> <References>
>>
>> <WidgetDigest>
>>
>>
> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
> mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
>>
>> </WidgetDigest>
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>
>> <SignedInfo>
>>
>> <CanonicalizationMethod Algorithm=
>>
>> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>
>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>> <Reference URI="">
>>
>> <Transforms>
>>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>
>> </Transforms>
>>
>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>
>> <DigestValue></DigestValue>
>>
>> </Reference>
>>
>> </SignedInfo>
>>
>> <SignatureValue />
>>
>> <KeyInfo>
>>
>> <X509Data>
>>
>> <X509Certificate/>
>>
>> </X509Data>
>>
>> <KeyValue />
>>
>> </KeyInfo>
>>
>> </Signature>
>>
>> </References>
>>
>> The signed template (signatures shortened) :
>>
>> <?xml version="1.0"?>
>>
>> <References>
>>
>> <WidgetDigest>
>>
>>
> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
> mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
>>
>> </WidgetDigest>
>>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>
>> <SignedInfo>
>>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>
>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>
>> <Reference URI="">
>>
>> <Transforms>
>>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>
>> </Transforms>
>>
>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>
>> <DigestValue>3f5hn9NUkmRENNQb8SyrI5BsRsc=</DigestValue>
>>
>> </Reference>
>>
>> </SignedInfo>
>>
>>
> <SignatureValue>mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O
> gEUq
>>
>> m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI
>>
>> wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU=</SignatureValue>
>>
>> <KeyInfo>
>>
>> <X509Data>
>>
>> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
>>
>> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
>>
>> </X509Data>
>>
>> <KeyValue>
>>
>> <RSAKeyValue>
>>
>> <Modulus>
>>
>> wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ
>>
>> tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu
>>
>> qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk=
>>
>> </Modulus>
>>
>> <Exponent>
>>
>> AQAB
>>
>> </Exponent>
>>
>> </RSAKeyValue>
>>
>> </KeyValue>
>>
>> </KeyInfo>
>>
>> </Signature>
>>
>> </References>
>>
>> Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/
>>
>> Regards
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list