[xmlsec] Duplicate X509 certificates in signed template

Beard, Simon sbeard at verisign.com
Thu Mar 18 12:00:28 PDT 2010 

Hello.

I'm using the simple template below and signing with a .p12 cert. The
resulting signed template contains 2 copies of the certificate. The signed
template verifies OK. Can someone please tell me why 2 copies of the cert?

 

Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12 webeca.p12
--pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml

 

The unsigned template:

 

<References>

 <WidgetDigest>

 
<WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>

 </WidgetDigest>

 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

  <SignedInfo>

   <CanonicalizationMethod Algorithm=

    "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

     <Reference URI="">

       <Transforms>

             <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

       </Transforms>

       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

       <DigestValue></DigestValue>

     </Reference>

  </SignedInfo>

  <SignatureValue />

  <KeyInfo>

   <X509Data >

    <X509Certificate/>

   </X509Data>

   <KeyValue />

  </KeyInfo>

 </Signature>

</References>

 

The signed template (signatures shortened) :

 

<?xml version="1.0"?>

<References>

 <WidgetDigest>

 
<WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZ
mI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>

 </WidgetDigest>

 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

  <SignedInfo>

   <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

   <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

     <Reference URI="">

       <Transforms>

             <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

       </Transforms>

       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

       <DigestValue>3f5hn9NUkmRENNQb8SyrI5BsRsc=</DigestValue>

     </Reference>

  </SignedInfo>

 
<SignatureValue>mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54O
gEUq

m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI

wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU=</SignatureValue>

  <KeyInfo>

   <X509Data>

    

   <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>

   <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>

</X509Data>

   <KeyValue>

<RSAKeyValue>

<Modulus>

wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ

tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu

qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk=

</Modulus>

<Exponent>

AQAB

</Exponent>

</RSAKeyValue>

</KeyValue>

  </KeyInfo>

 </Signature>

</References> 

 

Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/

 

Regards

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20100318/ea91ba0d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5484 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20100318/ea91ba0d/attachment.bin>

More information about the xmlsec mailing list