[xmlsec] Signing with X509 certificate using mscrypto provider

Aleksey Sanin aleksey at aleksey.com
Fri Apr 23 21:54:52 PDT 2010


Thanks a lot for sending me the example certs to me! Could you
please try one more version?


The problem was caused by the difference in the certificates:
one that worked has subject encoded in Unicode

CN=\x00J\x00i\x01Y\x00\xED\x00 \x00N\x00o\x00v\x00\xE1\x00k

and one that did not work has subject encoded in UTF8:

C=CZ, O=12345678 [I\xC4\x8C ], OU=1, CN=Ji\xC5\x99\xC3\xAD

Unfortunately, MSCrypto is not smart enough to always normalize
the certificates subjects in its internal store and I had to add
one more option in the certificate search chain: try with UTF8
encoded subject.

Hope it covers all the cases now :)


On 4/23/2010 7:19 AM, Aleksey Sanin wrote:
> Yes, it should. Any chance you can generate an example cert for me
> to test it?
> Aleksey
> On 4/23/2010 1:33 AM, Jirka Kosek wrote:
>> Aleksey Sanin wrote:
>>>> <KeyName>CN=Jiří Novák</KeyName>
>>>> still doesn't work. So it seems that there is still some encoding issue
>>>> in dealing with certificate subjects.
>>> Don't ask me "why", I know but can't explain :)
>>> And one more try... hopefully the last one
>> Many thanks, it works now for self signed certificates.
>> I don't know whether it is related to this bug or whether this is a
>> separate issue, but xmlsec is still unable to find real issued
>> certificates with subject like:
>> SERIALNUMBER=P111870, CN=Ing. Jiří Kosek, OU=1, O=Ing. Jiří Kosek [IČ
>> 71612998], C=CZ
>> Is this supposed to work?
>> Jirka
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list