[xmlsec] Potential Verify Issue

Owen Borseth owen at name.com
Thu Sep 17 07:14:45 PDT 2009

First, awesome library and thank you for it. I'm no XML Security
expert so I don't know if this is intended behavior or not.

When I sign an XML document and include a KeyInfo element, populated
with my public key, it will pass verification when I do something

    xmlsec1 verify /tmp/signed.xml

I expect that. However, it also passes verification when I do
something like the following and pass it an incorrect public key:

    xmlsec1 verify --pubkey-pem /tmp/invalid-pubkey.pem /tmp/signed.xml

Is this intended behavior? If I leave the KeyInfo element out of the
signed document it works as I would expect and only passes
verification if I pass it the correct public key.

Owen Borseth

Name.com LLC
Software Engineer

More information about the xmlsec mailing list