[xmlsec] nss -- xmlSecNssX509StoreVerify question
vmiklos at vmiklos.hu
Thu Dec 8 13:06:02 PST 2016
Context: currently we patch xmlsec in LibreOffice with
and I'm trying to find out if it would be possible to avoid that patch.
As far as I understand, using the
XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag makes this possible
when calling xmlSecDSigCtxVerify(), but I wanted to first see
xmlSecDSigCtxVerify() failing without using that flag (when the above
patch is not applied).
However, for some reason xmlSecDSigCtxVerify() doesn't fail with my test
"self-signed" certificate (when the NSS DB doesn't contain the
root/intermediate CA), even when I'm not using that flag. Reading
xmlSecNssX509StoreVerify(), it seems that it calls NSS
CERT_VerifyCertificate() with requiredUsages=0:
And when that happens, CERT_VerifyCertificate() just iterates over the
usages of the certificicate, and on each iteration it returns
("continues") early, as "i & requiredUsages" is false. The result is
that later functions like cert_CheckLeafTrust() and
cert_VerifyCertChain() are not called:
Now the question: is this expected? I'm not sure if this is a bug in
xmlsec or I generate my self-signed certificate in an incorrect way.
FWIW, here is my script to generate 1) a root CA 2) an intermediate CA
and 3) an actual certificate:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: Digital signature
More information about the xmlsec