[xmlsec] External DTD support

Aleksey Sanin aleksey at aleksey.com
Wed Jan 22 11:50:51 PST 2003


Hi, Rich!

Thanks for the patch!  I applied and commited the xmlsec utility part
with a small fix (you forgot to free DTD at the end :) ).
The changes in x509.c are not required. The self signed "trusted"
certificate should work. For example, I used the following commands
to create and verify a signature with a self signed cert (see attached 
file):

    > xmlsec sign --privkey:test-key ca.key,ca.crt --output test.xml 
test.tmpl
    > xmlsec verify --trusted ca.crt --verification-time "2002-04-01 
00:00:01" test.xml
        = Status:
        == Signatures ok: 1
        == Signatures fail: 0
        == SignedInfo Ref ok: 1
        == SignedInfo Ref fail: 0
        == Manifest Ref ok: 0   
        == Manifest Ref fail: 0
        OK
    > openssl x509 -in ca.crt -text
        ....
        Issuer: C=US, ST=California, L=Sunnyvale, 
O=http://www.aleksey.com/xmlsec,
                     CN=Aleksey Sanin/emailAddress=aleksey at aleksey.com
        .....
        Subject: C=US, ST=California, L=Sunnyvale, 
O=http://www.aleksey.com/xmlsec,
                      CN=Aleksey Sanin/emailAddress=aleksey at aleksey.com
        ...

I have to specify verification time because I am using the cert from my 
"expired
certs" tests :)  but besides that everything else looks just fine to me.
And according to the OpenSSL 0.9.7 code (crypto/x509/x509_vfy.c, around
line #200) it should work perfectly too. If you are using OpenSSL 0.9.6 then
you might consider upgrading to 0.9.7. It'll save you a lot of time :)

Thanks again,
Aleksey




Rich Salz wrote:

> I want to be use the xmlsec application to verify SOAP messages signed 
> using WS-Security.  SOAP does not allow DTD's.  The attached patch 
> adds a "--dtdfile FILENAME" option to xmlsec, so you can write a DTD 
> that identifies ID attributes.  It includes documentation update (it 
> seems xmlsec.xml is the place to update; I hope I did it right).
>
> Perhaps more controversial, the patch always allows self-signed 
> certificates. That part should, perhaps, be changed to allow 
> self-signed certs if they were specified with the "--trusted" flag, 
> but I haven't been able to figure out how to do that.
>
>     /r$
>
>  
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.tgz
Type: application/x-gzip
Size: 1575 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030122/c7a649fb/test.bin


More information about the xmlsec mailing list