[xmlsec] Issues using xmlsec for SAML

Dave Chapman dave at dchapman.com
Mon May 26 23:44:10 PDT 2008


Thanks for the rpely.

Yes, my problem is that the signatures only have an X509Certificate 
element.  The information I'm after is in those certificates, so I'm not 
sure why it would need to be stored elsewhere as well.

Also, is there anything preventing these elements from being faked? 
i.e. not the same as the Subject/Issuer information in the certificate 
itself?  Does xmlsec verify them against the certificates?

But hopefully I'm not the only person with a requirement to just accept 
a subset of certificates signed by a particular CA?  In my case, who 
signed the document is just as important as the fact that the message 
hasn't been modified.



P.S. No. I'm not Davis Chapman.

Ed Shallow wrote:
> All the elements below are exposable using signatures created with xmlsec,
> but I guess your problem is signatures that only have an X509Certificate
> element ? That's the signers prerogative.
> I have no problems, if I can't follow the cert chain to an accepted set of
> roots I have been authorized to verify against TrustedRootPems, the xmlsec
> verify throws error. I don't really care to report who signed it if the
> signer chose not to expose these additional elements in the first place.
> Is this Davis Chapman of Developing Secure Applications in ... fame ?   
> <X509SubjectName>
> <X509IssuerSerial>
>     <X509IssuerName>
>     <X509SerialNumber>
> </X509IssuerSerial>
> Also <KeyName>
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
> Behalf Of Dave Chapman
> Sent: Monday, May 26, 2008 5:29 PM
> To: xmlsec at aleksey.com
> Subject: Re: [xmlsec] Issues using xmlsec for SAML
> Aleksey Sanin wrote:
>> You have to use OpenSSL, NSS, or any other crypto provider functions
>> to access this information.
> Is there a reason for xmlsec not providing access to this information?
> It would seem to me to be a fundamental feature of signatures - anyone 
> checking a signature needs to know both a) that the signature is valid 
> and the document hasn't been modified since signing; and b) who signed 
> the file.
> How do other people reading this mail deal with this issue?
> Thanks,
> Dave.
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list