[xmlsec] Signing with X509 certificate using mscrypto provider

Jirka Kosek jirka at kosek.cz
Tue Apr 20 15:41:58 PDT 2010 

Aleksey Sanin wrote:
>> Thanks for the tip. I investigated it little bit and in general both
>> ways you suggested work. The only glitch is that this doesn't work if I
>> use non-ASCII characters in name. This is problem because certificates
>> here in Czech usually contain first and last name inside certificate
>> subject and there are almost always some characters with accents.
> 
> Yeah, xmlsec utility is smart enough to convert command line parameters
> from code page to utf8 as expected on windows. I'll take a look, should
> be trivial fix.

I haven't used command line parameters, but signature template file in XML.

>> So it seems that there is a bug related to processing non-ASCII
>> characters. Also if I ask for certificate subject and issuer in a
>> signature template and these fields contain non-ASCII characters, I get
>> the following error from xmlsec:
>>
>> output error : invalid character value
>> output error : string is not in UTF-8
> 
> This is not a bug. By default, all data in XML file are expected to be
> in UTF8 encoding. If you use different encoding, then you need to
> specify the encoding you use in XML prolog.

Then there is probably another problem. My files were in UTF-8 with
proper <?xml version="1.0" encoding="utf-8"?> declaration. But xmlsec
was unable to find matching key (last error msg=Cannot find object or
property). I even tried to escape Czech characters using &#...;
notation, but without success.

I'm not familiar with xmlsec internals, but I suppose that it uses
libxml2 for parsing, so input encoding should be converted to UTF-8 for
in-memory storage. So encoding of XML file shouldn't matter?

>> As a workaround I have tried to escape accented characters, i.e. use:
>>
>> serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing.
>> Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ
> 
> Good workaround!

Unfortunatelly, it was *not working*.

> I believe you should be able to make it work through template by either
> converting names to utf8 or specifying encoding for the xml file.

Still no success, but many thanks for help.

				Jirka

-- 
------------------------------------------------------------------
  Jirka Kosek      e-mail: jirka at kosek.cz      http://xmlguru.cz
------------------------------------------------------------------
       Professional XML consulting and training services
  DocBook customization, custom XSLT/XSL-FO document processing
------------------------------------------------------------------
 OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member
------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20100421/f4907e44/attachment.pgp>

More information about the xmlsec mailing list