[xmlsec] Signing with X509 certificate using mscrypto provider

Aleksey Sanin aleksey at aleksey.com
Fri Apr 23 21:54:52 PDT 2010


Jirka,

Thanks a lot for sending me the example certs to me! Could you
please try one more version?

http://www.aleksey.com/public/xmlsec-20100423.tar.gz

The problem was caused by the difference in the certificates:
one that worked has subject encoded in Unicode

CN=\x00J\x00i\x01Y\x00\xED\x00 \x00N\x00o\x00v\x00\xE1\x00k

and one that did not work has subject encoded in UTF8:

C=CZ, O=12345678 [I\xC4\x8C ], OU=1, CN=Ji\xC5\x99\xC3\xAD
Nov\xC3\xA1k/serialNumber=P123456/title=Title

Unfortunately, MSCrypto is not smart enough to always normalize
the certificates subjects in its internal store and I had to add
one more option in the certificate search chain: try with UTF8
encoded subject.

Hope it covers all the cases now :)

Aleksey


On 4/23/2010 7:19 AM, Aleksey Sanin wrote:
> Yes, it should. Any chance you can generate an example cert for me
> to test it?
>
> Aleksey
>
>
> On 4/23/2010 1:33 AM, Jirka Kosek wrote:
>> Aleksey Sanin wrote:
>>
>>>> <KeyName>CN=Jiří Novák</KeyName>
>>>>
>>>> still doesn't work. So it seems that there is still some encoding issue
>>>> in dealing with certificate subjects.
>>>
>>> Don't ask me "why", I know but can't explain :)
>>>
>>> And one more try... hopefully the last one
>>
>> Many thanks, it works now for self signed certificates.
>>
>> I don't know whether it is related to this bug or whether this is a
>> separate issue, but xmlsec is still unable to find real issued
>> certificates with subject like:
>>
>> SERIALNUMBER=P111870, CN=Ing. Jiří Kosek, OU=1, O=Ing. Jiří Kosek [IČ
>> 71612998], C=CZ
>>
>> Is this supposed to work?
>>
>> Jirka
>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list