[xmlsec] 'xmlSecKeyDataXmlRead' question about X509 certificates

Frank Gross fg at 4js.com
Wed Jun 11 05:41:47 PDT 2008 

Hi,

  I use the 'xmlSecKeyDataXmlRead' and 'xmlSecKeyDataXmlWrite' functions 
to save and load X509 certificate in XML, but I get a strange behavior.

When I write my certificate stored in the xmlSecKeyDataPtr section of 
the xmlSecKeyPtr, everything is ok, and I get the following XML (Notice 
that I want the SubjectName an IssuerSerial to be present):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<dsig:X509Data xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">  
<dsig:X509Certificate>MIIDHTCCAt0CAQEwCQYHKoZIzjgEAzB6MQswCQYDVQQGEwJGUjEPMA0GA1UECBMGRnJhbmNlMRUwEwYDVQQHEwxTY2hpbHRpZ2hlaW0xDDAKBgNVBAoTAzRKUzEjMCEGA1UECxMaRm91ciBKJ3MgRGV2ZWxvcG1lbnQgVG9vbHMxEDAOBgNVBAMTB2RzYXJvb3QwHhcNMDgwNjA1MTMwMDI1WhcNMTgwNjAzMTMwMDI1WjB2MQswCQYDVQQGEwJGUjEPMA0GA1UECBMGRnJhbmNlMRUwEwYDVQQHEwxTY2hpbHRpZ2hlaW0xDDAKBgNVBAoTAzRKUzEjMCEGA1UECxMaRm91ciBKJ3MgRGV2ZWxvcG1lbnQgVG9vbHMxDDAKBgNVBAMTA2RzYTCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCvfbNJkDmPgfY1AkKjmRL+VJVaEpPwKzh8DqeGHw1JWsYN4NJf3rMNllirBCi2x8eGQvMMWAj7fSVK1PqrS9JukDLLbG+KJvXLTV14GfOS6r4aIasWErHPfpPHsBOYZ1s6jJlxFDdx7tJ4GgEhkJCMEJhEMT2MKxKzQdGxo0G9iwIVAODmx7JjZo0gBYr/8en+fR9f0phpAoGBAKzpjrrNlrz8/4pawEMEMnxKHMqqJGAak2Fyu4F8VW41ZULGGaLWulqPK5OVkve/+ZHrsxG3Uieyp7BOlhyVpuIt3XmCZ2WGdAv2NPAdw7RDcyQJE1KmgN0hrXHFs5oa5jxlVEOkq12JFJqNov8StlkxoPML/96kQczSm22hN4V+A4GEAAKBgHqtp0BncScT9M9/uzpCApR33m+SfQOWomYVqd177fz17O6vnFmtRM0V6sRMs0Fi+cVaa8zEcASbuJ3sGRZo2qNjXMeAg6Vm368XNKwtV3O39hvtOdO/b/HaU53oG4CEWi9koNRked4grQRxjFjabGJaMaXYO91KsaMnWoe3ijldMAkGByqGSM44BAMDLwAwLAIUK+PpNxfdEvV9ePeTt5zfDPS8NAoCFDC6gUfseNz6IYkJ0k1lurDSx9UN</dsig:X509Certificate>
  <dsig:X509SubjectName>CN=dsa,OU=Four J's Development 
Tools,O=4JS,L=Schiltigheim,ST=France,C=FR</dsig:X509SubjectName>
  <dsig:X509IssuerSerial>
    <dsig:X509IssuerName>CN=dsaroot,OU=Four J's Development 
Tools,O=4JS,L=Schiltigheim,ST=France,C=FR</dsig:X509IssuerName>
    <dsig:X509SerialNumber>1</dsig:X509SerialNumber>
  </dsig:X509IssuerSerial>
</dsig:X509Data>


Then when I read it back with 'xmlSecKeyDataXmlRead', and if flag 
XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT is set, I must set 
the certificate in the key store to allow the system to find the real 
certificate corresponding to X509SubjectName, and to X509IssuerSerial. 
And that's OK for me too.

But the strange thing is that when the function returns, I have 3 
certificates in the xmlSecKeyData part of the xmlSecKeyPtr. I was 
expecting only one certificate, because all entries of the X509Data 
represent the same certificate. I investigated a bit, and found out that 
the 'xmlSecOpenSSLX509DataNodeRead' function looks for the certificate 
in the key store in case of X509SubjectName and X509IssuerSerial. But 
shouldn't it first check in the data part of the xmlSecKeyPtr it is 
currently reading, if there is already a certificate that could match ?

Actually, the problem is that I write one certificate, but when I read 
it back, I have 3 times the same certificate.


Regards,

Frank

More information about the xmlsec mailing list