[xmlsec] Duplicate X509 certificates in signed template

Aleksey Sanin aleksey at aleksey.com
Thu Mar 18 16:41:21 PDT 2010


OK, I see it too. I believe the problem is in the PKCS12_parse()
function in the newer versions of openssl. The documentation
states (http://www.openssl.org/docs/crypto/PKCS12_parse.html,
highlighting is mine):

   If successful the private key will be written to *pkey, the
   corresponding certificate to *cert and *any additional* certificates
   to *ca.

In reality, the function returns in the "ca" *all* the certificates
including the one it is already returned in "cert". I believe the older
version of openssl didn't return the "cert" in "ca" and xmlsec
manually adds it to the chain.

Let me see if I can workaround this and provide fall back for the
older openssl versions.

Aleksey


On 3/18/2010 12:00 PM, Beard, Simon wrote:
> Hello.
>
> I’m using the simple template below and signing with a .p12 cert. The
> resulting signed template contains 2 copies of the certificate. The
> signed template verifies OK. Can someone please tell me why 2 copies of
> the cert?
>
> Signing with: xmlsec --sign --output doc-signed-x509.xml --pkcs12
> webeca.p12 --pwd webeca --trusted-pem webeca-cert.pem doc-x509.xml
>
> The unsigned template:
>
> <References>
>
> <WidgetDigest>
>
> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
>
> </WidgetDigest>
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod Algorithm=
>
> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <Reference URI="">
>
> <Transforms>
>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>
> </Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>
> <DigestValue></DigestValue>
>
> </Reference>
>
> </SignedInfo>
>
> <SignatureValue />
>
> <KeyInfo>
>
> <X509Data >
>
> <X509Certificate/>
>
> </X509Data>
>
> <KeyValue />
>
> </KeyInfo>
>
> </Signature>
>
> </References>
>
> The signed template (signatures shortened) :
>
> <?xml version="1.0"?>
>
> <References>
>
> <WidgetDigest>
>
> <WidgetDigestValue>U0hBMShyZWFkZXIuemlwKT0gNDliNzk0YzQwZWE4M2U0MzIwYmNhMTZmZmI3NDgwMzdmYjk1Yzc3Ngo=</WidgetDigestValue>
>
> </WidgetDigest>
>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> <SignedInfo>
>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>
> <Reference URI="">
>
> <Transforms>
>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>
> </Transforms>
>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <DigestValue>3f5hn9NUkmRENNQb8SyrI5BsRsc=</DigestValue>
>
> </Reference>
>
> </SignedInfo>
>
> <SignatureValue>mWBNeWDF/d6ViD+9c57TtCurzgZpo6JALP6FzAaA9tfhmvll2OiIMa/sv54OgEUq
>
> m45kJyinZ2mZB3PnPMWKCgN7TdXD4Tte6443PvFFSD8tkRSv8IZ2Tlw+l2QhOcCI
>
> wOskLMZYsB2x9WoZbaDoL6C/3aUfRW2Q1UOf0v5etnU=</SignatureValue>
>
> <KeyInfo>
>
> <X509Data>
>
> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
>
> <X509Certificate>MIIC7zCCAligAwIBAgIJAKXDi....3d+2Ho=</X509Certificate>
>
> </X509Data>
>
> <KeyValue>
>
> <RSAKeyValue>
>
> <Modulus>
>
> wHpNgxrkRfmIpCsp+cgAvtCrN9qndDc7uqRuliV6FzyXyhE1Ux3iYNBpz7ZdcEsQ
>
> tkW12J7OpS+PddvM9bTydvLD2lZdxrzUBHnANQwy0QDKhs35zXyCcHKW20Ao+DNu
>
> qlWIVkA6UL8vbg4RvepQnt0ZKiNTHQUYXrNSsxR3zgk=
>
> </Modulus>
>
> <Exponent>
>
> AQAB
>
> </Exponent>
>
> </RSAKeyValue>
>
> </KeyValue>
>
> </KeyInfo>
>
> </Signature>
>
> </References>
>
> Windows libraries and executables from: ftp://ftp.zlatkovic.com/libxml/
>
> Regards
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list