[xmlsec] X509Data sub-element detail ?
Aleksey Sanin
aleksey at aleksey.com
Wed Aug 6 22:04:47 PDT 2003
>xmlsec sign --pkcs12 keys/EdSign.p12 --output inout/edsigned1.xml
>tmpl/tmpl-EPM-sign.xml
>
>... This in the template works ...
>
><X509Data>
></X509Data>
>
>... This in the template does not ...
>
><X509Data>
> <X509SubjectName/>
> <X509Certificate/>
></X509Data>
>
>
The second template should work if you are using xmlsec-openssl 1.1.0 or
xmlsec-nss
from CVS trunk. If you have correct version and it does not work then
it's probably a bug
somewhere. I would appreciate if you can file a bug report and provide
as much details
as possible (xmlsec version + crypto, os, templates you are using,
pkcs12 file if possible).
>Where is the additional X509 detail extracted from ? I tried adding:
>
>--trusted-der keys/cacert.der
>
>... to the command line to no avail.
>
>
This has nothing to do with it. "--trusted-*" options tells xmlsec which
certs are trusted
when it verifies signature. XMLSec gets certificates from the key. In
you case, from PKCS12 file.
BTW, do you have a cert in this file?
>I'd also like to include other X509 info like issuer, valid from, valid to,
>cert serial number, etc ...
>
>
This goes outside the scope of XMLDSig specification [1]. All this
information is available
inside the cert itself and you can include full certificate using
<X509Certificate/> node.
Aleksey
[1] http://www.w3.org/TR/xmldsig-core/#sec-X509Data
More information about the xmlsec
mailing list