[xmlsec] 0.0.8a build error on Win32

Aleksey Sanin aleksey at aleksey.com
Wed Aug 28 16:59:06 PDT 2002


Not necessary. Suppose your are signing a message with a key and
provide more than one certificate for this key (for example, signed by
root CAs A and B). It is possible that one of your recipients trusts
the root CA A but not B and another trusts root CA B and not A.
Then in this case *both* recipients will be able to successfully validate
the message and both of them will have the same error.
I believe that in your case the message verification succeeds because
XML Sec library was able to find correct keys for the message in some
other place (another cert, keys manager, etc.). From my point of view,
this is a correct behavior and the verification *must* succeed (see
scenario above).


Aleksey



Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  One other question .. when xmlSecDSigValidate() returns I'm getting a
>return code of zero, and pResult->result is equal to
>xmlSecTransformStatusOk. According to the doc, that means it worked.
>However, down in the guts of x509 verification, the following error is
>being generated: "error 31: cert verification failed : ". Unfortunately,
>while that does result in a callback to the default error handler, it
>doesn't result in any final error status from the verification routine.
>So, unless I monitor the error handler, I don't know that the error
>occurred. In this case, because the uncertified public key is really OK
>and the hash is OK and the data is OK, the verify returns OK -- but it
>really isn't OK because I forgot to supply the PEM data needed to
>authenticate the certificate. Shouldn't this have resulted in a failure?
>Verification with an invalid cert really isn't validation of the
>signature, IMO. 
>Thanks!
>  Ferrell
>
>-----Original Message-----
>From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
>Sent: Wednesday, August 28, 2002 7:36 PM
>To: Moultrie, Ferrell (ISSAtlanta)
>Cc: xmlsec at aleksey.com
>Subject: Re: [xmlsec] 0.0.8a build error on Win32
>
>
>Ferrell,
>
>Thanks for reporting the problem! I am really sucks :(  and I am doing
>new
>build right now. For 0.0.8 release I've tried to use a new box for doing
>builds but looks like it was really WRONG idea. I did 0.0.9 release on
>the
>old box and now smoke testing it.  Should be done in 15-30 minutes.
>
>Sorry for the inconvinience,
>Aleksey
>
>Moultrie, Ferrell (ISSAtlanta) wrote:
>
>  
>
>>When I try to build 0.0.8a, I get an error:
>>D:\xmlsec-0.0.8\src\enveloped.c(24) : fatal error C1083: Cannot open
>>include file: 'xmlsec/xpath.h': No such file or directory
>>
>>I don't see an xmlsec/xpath.h in the xmlsec distribution (there is one
>>in libxml2 -- but this specifically asks for xmlsec/xpath.h). 
>>
>>If I simply comment out the line:
>>//#include <xmlsec/xpath.h>
>>.. then everything builds OK.
>>
>>Am I missing something? This same error persists in the 020828 daily
>>build also.
>>Thanks!
>> Ferrell
>>
>>=====================================
>>Ferrell Moultrie (ferrell at iss.net)
>>Software Engineer
>>
>>Internet Security Systems, Inc.
>>6303 Barfield Road
>>Atlanta, Georgia 30328
>>Phone:  404-236-2600
>>Direct: 404-236-2849
>>Fax:    404-236-2632
>>http://www.iss.net
>>
>>Internet Security Systems -- The Power to Protect
>>=====================================
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>> 
>>
>>    
>>
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>





More information about the xmlsec mailing list