[xmlsec] Signing with X509 certificate using mscrypto provider

Roumen Petrov xmlsec at roumenpetrov.info
Tue Apr 20 16:22:22 PDT 2010

Jirka Kosek wrote:
> Aleksey Sanin wrote:
>>> Thanks for the tip. I investigated it little bit and in general both
>>> ways you suggested work. The only glitch is that this doesn't work if I
>>> use non-ASCII characters in name. This is problem because certificates
>>> here in Czech usually contain first and last name inside certificate
>>> subject and there are almost always some characters with accents.
>> Yeah, xmlsec utility is smart enough to convert command line parameters
>> from code page to utf8 as expected on windows. I'll take a look, should
>> be trivial fix.
> I haven't used command line parameters, but signature template file in XML.
>>> So it seems that there is a bug related to processing non-ASCII
>>> characters. Also if I ask for certificate subject and issuer in a
>>> signature template and these fields contain non-ASCII characters, I get
>>> the following error from xmlsec:
>>> output error : invalid character value
>>> output error : string is not in UTF-8
>> This is not a bug. By default, all data in XML file are expected to be
>> in UTF8 encoding. If you use different encoding, then you need to
>> specify the encoding you use in XML prolog.
> Then there is probably another problem. My files were in UTF-8 with
> proper<?xml version="1.0" encoding="utf-8"?>  declaration. But xmlsec
> was unable to find matching key (last error msg=Cannot find object or
> property). I even tried to escape Czech characters using&#...;
> notation, but without success.
> I'm not familiar with xmlsec internals, but I suppose that it uses
> libxml2 for parsing, so input encoding should be converted to UTF-8 for
> in-memory storage. So encoding of XML file shouldn't matter?
>>> As a workaround I have tried to escape accented characters, i.e. use:
>>> serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing.
>>> Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ
>> Good workaround!
> Unfortunatelly, it was *not working*.

I'm not sure that crypto libraries understand "escaping".

>> I believe you should be able to make it work through template by either
>> converting names to utf8 or specifying encoding for the xml file.
> Still no success, but many thanks for help.
> 				Jirka

May be issue is with conversion in MultiByteToWideChar. No Idea why is 
CP_ACP and I don't know enough how portable is CP_UTF8 for windows OS-es.


More information about the xmlsec mailing list