[xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12

mahendra N mahendra0203 at gmail.com
Tue Nov 23 01:47:25 PST 2010


Hi,

 Thanks. I had misunderstood a concept. Now it works fine.

One more question: In this case I know the start and end date of the
certificate. What if I dont know the expiry date of the certificate? Then,
how can I bypass expiry date checking of certificates?

Will  *XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS*  flag be of any
help?

The available documentation on xmlsec says "if the flag is set then we'll
skip strict checking of certs and CRLs" . What parameters of a certificate
are skipped if we use this flag?

If there is no way to handle it in xmlsec, Any pointers to alternate
solutions(maybe openssl) would be of great help..

Thanks and Regards,
Mahendra Naik




2010/11/22 Aleksey Sanin <aleksey at aleksey.com>

> Try
>
> --verification-time "2010-11-12 20:45:34"
>
>
> On 11/22/10 2:37 AM, mahendra N wrote:
>
>> Hi ,
>>    I have tried the folowing command
>>
>>   xmlsec1 --verify --id-attr:Id LicenceData --verification-time
>> "2010-12-12 20:45:34" --trusted-pem root_kuc.pem license.xml
>>
>> license.xml is signed by root_kuc.pem, which expires on 2010-12-02.
>>
>> I get the following error:
>>
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>> library function failed:subj=/C=US/ST=Newyork/O=Company/OU=BI/CN=Company
>> Licence Generator ILG;err=10;msg=certificate has expired
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=400:obj=x509-store:subj=unknown:error=76:certificate
>> has expirred:err=10;msg=certificate has expired
>>
>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>> is not found:
>>
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>> library function failed:
>> Error: signature failed
>> ERROR
>> SignedInfo References (ok/all): 1/1
>> Manifests References (ok/all): 0/0
>> Error: failed to verify file "license.xml"
>>
>> Thanks and Regards,
>> Mahendra Naik
>>
>> 2010/11/22 mahendra N <mahendra0203 at gmail.com
>> <mailto:mahendra0203 at gmail.com>>
>>
>>
>>    Hi,
>>
>>        I want to verify a file, signed with a digital certificate which
>>    has expired. Is there a way in xmlsec to skip the checking of expiry
>>    date of certificates, and only check for the keys?
>>
>>
>>    Thanks and Regards,
>>    Mahendra Naik
>>
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101123/9b0ebc8f/attachment.html>


More information about the xmlsec mailing list