[xmlsec] Big patch to xmlsec in recent OpenOffice.org sources

Andrew Fan Xuelei.Fan at Sun.COM
Sun Feb 27 23:30:05 PST 2005

Aleksey Sanin wrote:

> 6) src/mscrypto/certkeys.c, xmlSecMSCryptoX509StoreConstructCertsChain()
> function:
> The new code tries to construct a certs chain for a self-signed cert
> even if it is not found in the trusted store. I believe, this is
> incorrect. If we can not find self-signed cert in the trusted
> certs store, then we just need to return FALSE (can't construct trusted
> certs chain). I modified the code to do exactly that and it passes
> all my tests. Hope it will work for you too.
I think you make a little misunderstanding on the cert chain building. 
It don't try to find self-signed cert from untrusted store, it is try to 
find non-self-signed from the untrusted store, i.e., try to find the 
mid-ca-cert from untrusted store. Firstly, it will try to find a cert ( 
self-signed or no ) from key store ( which will enable that when a 
cert's used to signature, it can be found from key store; the trusted 
cert should first be find in a small size store instead of searching a 
much large store. ) ; then, if is found, and it's not a self-signed 
cert, we will continue search it at untrusted store; finally, the last 
cert must can be find in the trusted store, otherwise, we'll deny to 
trust the chain. I think the process is correct.

Why I provide the patch? Firstly, I want to find the user personal 
certificate with private key pair during signning. If I only search 
self-signed certificate in trusted store,  it will be fail in the cases 
that no complete cert chains are placed in the store, it's a common way 
that the user only have one personal cert with private key pair. How to 
validate the signature is the responsibility of the receipter( third 
user should get root cert from his key store ), and certainly, the 
signer must be able validate the signature( myself should only get my 
private key and personal certificate, definitely, I trust myself cert ). 
Secondly, for performance, in business large scale PKI, it is a time 
consumer to search a cert from cert store, here I'll find try to find 
some locally( from key store ). Thirdly, definitely, I must trust the 
cert found from key store, whether or not it is a root cert or a 
personal cert.

I'm not 100% sure, I think your code will be failed to find private key 
from a signature template during signning.


More information about the xmlsec mailing list