[xmlsec] Potential Verify Issue
Aleksey Sanin
aleksey at aleksey.com
Thu Sep 17 07:24:56 PDT 2009
xmlsec first uses information from KeyInfo and only if it is not enough
it goes to read external information from files, etc.
Aleksey
Owen Borseth wrote:
> First, awesome library and thank you for it. I'm no XML Security
> expert so I don't know if this is intended behavior or not.
>
> When I sign an XML document and include a KeyInfo element, populated
> with my public key, it will pass verification when I do something
> like:
>
> xmlsec1 verify /tmp/signed.xml
>
> I expect that. However, it also passes verification when I do
> something like the following and pass it an incorrect public key:
>
> xmlsec1 verify --pubkey-pem /tmp/invalid-pubkey.pem /tmp/signed.xml
>
> Is this intended behavior? If I leave the KeyInfo element out of the
> signed document it works as I would expect and only passes
> verification if I pass it the correct public key.
>
> Owen Borseth
>
> Name.com LLC
> Software Engineer
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list