[xmlsec] Signature Verification Problem Using X509 Certificates

Roumen Petrov xmlsec at roumenpetrov.info
Thu Feb 21 15:20:26 PST 2008

Paul Keeler wrote:
> I've tried this on the command line already.  If I add all of the
> certificates as untrusted (--untrusted pem), and obviously still use the
> trusted root (--trusted-pem), then xmlsec verifies the signature perfectly
> with no spurious errors.
> [SNIP]

This is a long e-mail thread and I lost the head.
I self signed root certificate shouldn't go in xml document:
chain: C1(root)->C2->C3->C4->C4
   C1 in trusted local store (command line or default openssl)
   C2->C3->C4->C4 in xml document

I think if document is without C1 error(warning) will disappear.

Paul, if C1 in not in local trusted store, but all five are in xml, did 
xmlsec validate document ?

Aleksey did presence of self signed root certificate in document violate 
standard ?


More information about the xmlsec mailing list