[xmlsec] X509Certificate ordering
aleksey at aleksey.com
Fri Jun 17 07:18:08 PDT 2011
Te order of certificates is irrelevant for xml signature standard and xmlsec
does nothing about it.
On 6/17/11 7:02 AM, Kai Hendry wrote:
> Hi there,
> Thanks for xmlsec, it basically implements
> http://dev.w3.org/2006/waf/widgets-digsig/ :)
> I'm signing with
> which has the pub keys:
> Subject: "CN=3.rsa,OU=Webapps,O=W3C,ST=England,C=UK"
> Subject: "CN=2.rsa,OU=Webapps,O=W3C,ST=England,C=UK"
> Subject: "OU=Webapps,O=W3C,ST=England,C=UK,CN=root"
> The problem is with the generated signatures the X509Certificate's
> appear in different orderings. Once I figure out the orderings, I then
> write an xmlstarlet kludge to put them in the ordering I need them:
> Which is, 2, 3, root, that is Signer pubkey, then intermediate, then
> (optionally) root.
> The problem is that on different machines xmlsec seems to embed them
> in different orders. On my Arch 1.2.16, it's 2,3,root. On my 1.2.14
> Debian it's 2,root,3 and when I downgraded to 1.2.14 on Arch, it
> became root,2,3... wtf?
> You can see the ordering for yourself on a using http://v.wacapps.net/
> and 1.2.14 Debian signed
> http://tests.wacapps.net/2.0/core/securityprivacy/SP-2100.wgt which
> has an exception not to apply the kludge above.
> I hope you can help me understand!
> Kind regards,
> xmlsec mailing list
> xmlsec at aleksey.com
More information about the xmlsec