[xmlsec] Skipping certificate expiry checks in xmlsec 1.2.12

Aleksey Sanin aleksey at aleksey.com
Tue Nov 23 07:54:19 PST 2010


Nope. This flag is about self signed certs, etc.

You can load cert and get the dates from it. Or you can patch
xmlsec and disable this check (I would advise against it but
this is your code).

Aleksey

On 11/23/10 1:47 AM, mahendra N wrote:
> Hi,
>
>   Thanks. I had misunderstood a concept. Now it works fine.
>
> One more question: In this case I know the start and end date of the
> certificate. What if I dont know the expiry date of the certificate?
> Then, how can I bypass expiry date checking of certificates?
>
> Will /*XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS*/  flag be of
> any help?
>
> The available documentation on xmlsec says "if the flag is set then
> we'll skip strict checking of certs and CRLs" . What parameters of a
> certificate are skipped if we use this flag?
>
> If there is no way to handle it in xmlsec, Any pointers to alternate
> solutions(maybe openssl) would be of great help..
>
> Thanks and Regards,
> Mahendra Naik
>
>
>
>
> 2010/11/22 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
>     Try
>
>     --verification-time "2010-11-12 20:45:34"
>
>
>     On 11/22/10 2:37 AM, mahendra N wrote:
>
>         Hi ,
>             I have tried the folowing command
>
>            xmlsec1 --verify --id-attr:Id LicenceData --verification-time
>         "2010-12-12 20:45:34" --trusted-pem root_kuc.pem license.xml
>
>         license.xml is signed by root_kuc.pem, which expires on 2010-12-02.
>
>         I get the following error:
>
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>         library function
>         failed:subj=/C=US/ST=Newyork/O=Company/OU=BI/CN=Company
>         Licence Generator ILG;err=10;msg=certificate has expired
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=400:obj=x509-store:subj=unknown:error=76:certificate
>         has expirred:err=10;msg=certificate has expired
>         func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>         library function failed:
>         func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>         is not found:
>         func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>         library function failed:
>         func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>         library function failed:
>         Error: signature failed
>         ERROR
>         SignedInfo References (ok/all): 1/1
>         Manifests References (ok/all): 0/0
>         Error: failed to verify file "license.xml"
>
>         Thanks and Regards,
>         Mahendra Naik
>
>         2010/11/22 mahendra N <mahendra0203 at gmail.com
>         <mailto:mahendra0203 at gmail.com>
>         <mailto:mahendra0203 at gmail.com <mailto:mahendra0203 at gmail.com>>>
>
>
>             Hi,
>
>                 I want to verify a file, signed with a digital
>         certificate which
>             has expired. Is there a way in xmlsec to skip the checking
>         of expiry
>             date of certificates, and only check for the keys?
>
>
>             Thanks and Regards,
>             Mahendra Naik
>
>
>
>
>         _______________________________________________
>         xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
>
>


More information about the xmlsec mailing list