[Bulk] Re: [xmlsec] OpenSSL vs mscrypto

Edward Shallow ed.shallow at rogers.com
Thu Jan 12 21:52:35 PST 2006

Your messages are very short ?

There is no mistake with the adding/removing of certs in the MS Store as
there is only one cert in play here, the public "Test User 1".

And the .der you are loading from the command line utility.

You must have converted "Test User 1" to a .cer and loaded into one of the
MS cert stores. Yes ? 'MY' or 'AddressBook' ?

You did not use the --enabled-key-data in your example below ? Why did you
mention it ?

Just tell me what you did.

And the .der you are loading from the command line utility

I rather suspect your binairies are simply newer than Igor's 1.2.8 or you
are picking up Dmitry's patch and that has fixed it.

Please be more specific in your explanation.


-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Aleksey Sanin
Sent: January 13, 2006 12:14 AM
To: ed.shallow at rogers.com
Cc: xmlsec at aleksey.com
Subject: [Bulk] Re: [xmlsec] OpenSSL vs mscrypto

According to the spec, xmldsig application should search key using *all* the
information available in the <dsig:KeyInfo/> element. Specification *does
not* say that X509 certificate is better than key name and it does not
require one to search in some particular order.

However, xmlsec *DOES* allow one to disable some <dsig:KeyInfo/>
sub-elements. For example, look for --enabled-key-data option for the xmlsec
command line application.

I am not sure I understand all the steps you did for adding/removing
certificate to MS stores thus I can not comment on the validity of your
tests or point my finger at what you did wrong. What I do know that on my
computer, I do see the following results:

 > xmlsec verify --crypto mscrypto
        --trusted-der d:\upu-cacert.der

SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

 > xmlsec verify --crypto mscrypto

Error: signature failed
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "d:/edsigned-enveloped.xml"

which is *exactly* what I expect to see and what I believe you expect to set

And as I usually say, I *DO* accept patches :)


xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list