[xmlsec] nss -- xmlSecNssX509StoreVerify question

Miklos Vajna vmiklos at vmiklos.hu
Thu Dec 8 13:06:02 PST 2016


Context: currently we patch xmlsec in LibreOffice with
and I'm trying to find out if it would be possible to avoid that patch.
As far as I understand, using the
when calling xmlSecDSigCtxVerify(), but I wanted to first see
xmlSecDSigCtxVerify() failing without using that flag (when the above
patch is not applied).

However, for some reason xmlSecDSigCtxVerify() doesn't fail with my test
"self-signed" certificate (when the NSS DB doesn't contain the
root/intermediate CA), even when I'm not using that flag. Reading
xmlSecNssX509StoreVerify(), it seems that it calls NSS
CERT_VerifyCertificate() with requiredUsages=0:


And when that happens, CERT_VerifyCertificate() just iterates over the
usages of the certificicate, and on each iteration it returns
("continues") early, as "i & requiredUsages" is false. The result is
that later functions like cert_CheckLeafTrust() and
cert_VerifyCertChain() are not called:


Now the question: is this expected? I'm not sure if this is a bug in
xmlsec or I generate my self-signed certificate in an incorrect way.

FWIW, here is my script to generate 1) a root CA 2) an intermediate CA
and 3) an actual certificate:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20161208/1bb9b652/attachment.sig>

More information about the xmlsec mailing list