[xmlsec] Signing with X509 certificate using mscrypto provider

Aleksey Sanin aleksey at aleksey.com
Tue Apr 20 15:32:31 PDT 2010

> Thanks for the tip. I investigated it little bit and in general both
> ways you suggested work. The only glitch is that this doesn't work if I
> use non-ASCII characters in name. This is problem because certificates
> here in Czech usually contain first and last name inside certificate
> subject and there are almost always some characters with accents.

Yeah, xmlsec utility is smart enough to convert command line parameters
from code page to utf8 as expected on windows. I'll take a look, should
be trivial fix.

> So it seems that there is a bug related to processing non-ASCII
> characters. Also if I ask for certificate subject and issuer in a
> signature template and these fields contain non-ASCII characters, I get
> the following error from xmlsec:
> output error : invalid character value
> output error : string is not in UTF-8

This is not a bug. By default, all data in XML file are expected to be
in UTF8 encoding. If you use different encoding, then you need to
specify the encoding you use in XML prolog.

> Should I record this in the Bugzilla or is it sufficient to report it here?
> As a workaround I have tried to escape accented characters, i.e. use:
> serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing.
> Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ
> instead of
> SERIALNUMBER=P111870,CN=Ing. Jiří Kosek,OU=1,O=Ing. Jiří Kosek [IČ
> 71612998],C=CZ

Good workaround!

> I don't know whether this escaping is syntactically correct from X.509
> point of view, but I have seen it in output of message signed with
> openssl provider. Anyway this has not been working.
> But working solution is to set "friendly name" to use non-ASCII
> characters. This is a small burden to user, but it works for now. Many
> thanks for this tip.

I believe you should be able to make it work through template by either
converting names to utf8 or specifying encoding for the xml file.
I'll also take a look at command line parameters conversion :)


More information about the xmlsec mailing list