[xmlsec] KeyInfo node X509Data gets emptied when singing with xmlsec1

Markus Wernig public at wernig.net
Mon Mar 7 23:43:35 PST 2011


Hi Aleksey

I had tried that before. No joy, same result.

As a by-note: The same template file that produces the error on Linux
with xmlsec1 1.2.16 gets signed, X509Certificate populated and all, when
signing it with xmlsec1 v. 1.2.11 on 32 bit OpenBSD. (The only odd thing
being an extra newline that gets inserted before the node
<X509Certificate> :-)

kind regards
Markus

On 03/07/2011 09:41 PM, Aleksey Sanin wrote:
> Try
> 
> <SignatureValue>
> </SignatureValue>
> <KeyInfo>
>   <X509Data>
>   </X509Data>
> </KeyInfo>
> 
> 
> Aleksey
> 
> 
> On 3/7/11 3:49 AM, Markus Wernig wrote:
>> Hi all
>>
>> I have a problem with xmlsec1 1.2.16 (openssl), compiled on 32 bit
>> Gentoo Linux (from portage, i.e. source).
>>
>> When signing an XML document that contains a template section for the
>> X509Data of the signing certificate, the node gets cleared and an empty
>> newline is inserted instead for every subnode. The signature process
>> overall succeeds without any messages.
>>
>> I am using this command:
>> xmlsec1 --sign --pkcs12 certs/xmlsig-test.p12 --pwd testme --output
>> tmpl-signed.xml tmpl-sign.xml.
>> I have verified that the PKCS12 file contains both certificate and
>> private key.
>>
>> I have also tried any combination of --X509-skip-strict-checks,
>> --privkey-[pem|der], --pubkey-[pem|der], after extracting the cert and
>> key from the .p12. The result remains the same: valid signature, but
>> X509Data does not get populated (regardless of whether the signing CA
>> certificate is present or not)
>>
>> This is the section in question:
>>
>> Template:
>> [...]
>> <SignatureValue>
>> </SignatureValue>
>> <KeyInfo>
>>    <X509Data>
>>      <X509Certificate>
>>      </X509Certificate>
>>    </X509Data>
>> </KeyInfo>
>> [...]
>>
>> Result:
>> [...]
>> <SignatureValue>FRBI01gzAf................</SignatureValue>
>> <KeyInfo>
>>    <X509Data>
>>
>>    </X509Data>
>> </KeyInfo>
>> [...]
>>
>> I would be very grateful for any help, as I am still very new to xmlsec.
>>
>> Thanks and kind regards
>>
>> Markus
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list