[xmlsec] nss -- xmlSecNssX509StoreVerify question
aleksey at aleksey.com
Thu Dec 8 13:26:27 PST 2016
Could you please confirm that xmlsec-nss gets the key from the
certificate and not from another place?
I am not very familiar with this code unfortunately. It might
have happen that the NSS API changed since xmlsec-nss was
On 12/8/16 1:06 PM, Miklos Vajna wrote:
> Context: currently we patch xmlsec in LibreOffice with
> and I'm trying to find out if it would be possible to avoid that patch.
> As far as I understand, using the
> XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag makes this possible
> when calling xmlSecDSigCtxVerify(), but I wanted to first see
> xmlSecDSigCtxVerify() failing without using that flag (when the above
> patch is not applied).
> However, for some reason xmlSecDSigCtxVerify() doesn't fail with my test
> "self-signed" certificate (when the NSS DB doesn't contain the
> root/intermediate CA), even when I'm not using that flag. Reading
> xmlSecNssX509StoreVerify(), it seems that it calls NSS
> CERT_VerifyCertificate() with requiredUsages=0:
> And when that happens, CERT_VerifyCertificate() just iterates over the
> usages of the certificicate, and on each iteration it returns
> ("continues") early, as "i & requiredUsages" is false. The result is
> that later functions like cert_CheckLeafTrust() and
> cert_VerifyCertChain() are not called:
> Now the question: is this expected? I'm not sure if this is a bug in
> xmlsec or I generate my self-signed certificate in an incorrect way.
> FWIW, here is my script to generate 1) a root CA 2) an intermediate CA
> and 3) an actual certificate:
> xmlsec mailing list
> xmlsec at aleksey.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 842 bytes
Desc: OpenPGP digital signature
More information about the xmlsec