[xmlsec] Verifying signature with embedded x509 cert

Aleksey Sanin aleksey at aleksey.com
Tue Dec 4 18:38:27 PST 2007

xmlsec loads trusted certs from the default
crypto-specific storage (e.g. root certs folder
for openssl, nss certs db for NSS, etc.)


Jim Nutt wrote:
> Do I need to load the trusted roots manually (does the xmlsec utility?)? 
> If that's the case, that may be why xmlsec will verify it but my code 
> won't, it doesn't load the root certificates. I'll give that a try.
> On Dec 4, 2007 8:19 PM, Aleksey Sanin <aleksey at aleksey.com 
> <mailto:aleksey at aleksey.com>> wrote:
>     Yes, it will get a key from the certificate! You need a trusted
>     certificate (e.g. root CA certificate) to have the certificate
>     in the signature verified.
>     Aleksey
>     Jim Nutt wrote:
>      > Ok, a bit more info. The xmlsec utility will verify the signature
>      > without being passed the pem file separately, so it apparently is
>     able
>      > to suck the key from the signature. I'm trying to create a
>     minimal size
>      > code set that demonstrates the problem, I'll post that when I
>     have it.
>      >
> -- 
> Jim Nutt
> http://jim.nuttz.org

More information about the xmlsec mailing list