[xmlsec] X509Certificate ordering

Kai Hendry hendry at iki.fi
Fri Jun 17 07:02:54 PDT 2011

Hi there,

Thanks for xmlsec, it basically implements
http://dev.w3.org/2006/waf/widgets-digsig/ :)

I'm signing with
which has the pub keys:

        Subject: "CN=3.rsa,OU=Webapps,O=W3C,ST=England,C=UK"
        Subject: "CN=2.rsa,OU=Webapps,O=W3C,ST=England,C=UK"
        Subject: "OU=Webapps,O=W3C,ST=England,C=UK,CN=root"

The problem is with the generated signatures the X509Certificate's
appear in different orderings. Once I figure out the orderings, I then
write an xmlstarlet kludge to put them in the ordering I need them:
Which is, 2, 3, root, that is Signer pubkey, then intermediate, then
(optionally) root.

The problem is that on different machines xmlsec seems to embed them
in different orders. On my Arch 1.2.16, it's 2,3,root. On my 1.2.14
Debian it's 2,root,3 and when I downgraded to 1.2.14 on Arch, it
became root,2,3... wtf?

You can see the ordering for yourself on a using http://v.wacapps.net/
and 1.2.14 Debian signed
http://tests.wacapps.net/2.0/core/securityprivacy/SP-2100.wgt which
has an exception not to apply the kludge above.

I hope you can help me understand!

Kind regards,

More information about the xmlsec mailing list