[xmlsec] OpenSSL vs mscrypto

Aleksey Sanin aleksey at aleksey.com
Thu Jan 12 21:13:51 PST 2006

According to the spec, xmldsig application should search
key using *all* the information available in the <dsig:KeyInfo/>
element. Specification *does not* say that X509 certificate
is better than key name and it does not require one to search
in some particular order.

However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/>
sub-elements. For example, look for --enabled-key-data option
for the xmlsec command line application.

I am not sure I understand all the steps you did for
adding/removing certificate to MS stores thus I can not
comment on the validity of your tests or point my finger at
what you did wrong. What I do know that on my computer,
I do see the following results:

 > xmlsec verify --crypto mscrypto
        --trusted-der d:\upu-cacert.der

SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

 > xmlsec verify --crypto mscrypto

Error: signature failed
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "d:/edsigned-enveloped.xml"

which is *exactly* what I expect to see and what I believe
you expect to set too.

And as I usually say, I *DO* accept patches :)


More information about the xmlsec mailing list