[xmlsec] Re: GOST support in xmlsec

Dmitry Belyavsky beldmit at cryptocom.ru
Tue Feb 14 07:38:03 PST 2006


On Tue, 14 Feb 2006, Aleksey Sanin wrote:

> > > > We've fixed x509vfy.c patch. The problem was in two typos in recursion
> > > > calls. New version is attached.
> > > Great! Now all the tests pass. Last thing I would like to understand is
> > > what this patch is doing :) It seems like it changes the trusted
> > > certificates processing a little bit:
> > >   - now xmlsec always looks at both trusted certs in the manager and in
> > >     the system;
> > >   - with this patch, xmlsec will not look at the system trusted certs
> > >     if there are trusted certs in manager.
> > >
> > > Is this correct? Am I missing something else?
> >
> > Yes, it seems to be correct.
> Hm... Any particular reason for this? It seems to me that if you have
> trusted certs then you need to use *all* of them. Plus I am a little
> bit afraid that this might screw existing applications.

It seems to me there is almost no reason to avoid installing trusted
certs and corresponding CRLs to the system storage. So user can either
provide the chain passing all necessary certs manually or suppose the
root cert (or 1st some certs) are already present in the system.

Unfortunately, we didn't found a way to add trusted certs to system
store during cert chain verification.

SY, Dmitry Belyavsky (ICQ UIN 11116575)

More information about the xmlsec mailing list