INTEGRATION: CWS xmlsec13 (1.1.2); FILE ADDED

2005/10/27 12:36:49 jl 1.1.2.3: #54495# 2005/10/25 14:42:11 jl 1.1.2.2: #54495# 2005/10/24 15:39:31 jl 1.1.2.1: #i54495#

INTEGRATION: CWS xmlsec13 (1.1.2); FILE ADDED
2005/10/27 12:36:49 jl 1.1.2.3: #54495# 2005/10/25 14:42:11 jl 1.1.2.2: #54495# 2005/10/24 15:39:31 jl 1.1.2.1: #i54495#
c3be06d8 · Rüdiger Timm · c4b7ef3e · c3be06d8
Kaydet (Commit) c3be06d8 authored Kas 11, 2005 tarafından Rüdiger Timm
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

readme.txt libxmlsec/readme.txt +24 -0

No files found.
--- a/libxmlsec/readme.txt
+++ b/libxmlsec/readme.txt
+The XML Security library has been modified, so that there is NO verification
+of the certificate during sign or verification operation. On Windows this was 
+done in the function xmlSecMSCryptoX509StoreVerify (file 
+src/mscrypto/x509vfy.c) and on UNIX in xmlSecNssX509StoreVerify 
+(file src/nss/x509vfy.c).
+This change requires that the XML Signature contains in 
+Signature/KeyInfo/X509Data only entries which represent the same 
+certificate.
+The implementation creates certificates from all of the X509Data children
+(X509IssuerSerial, X509Certificate) and used to iterate over all certificates,
+verify them and return the first "good" certificate. Now the first one is 
+used.
+The X509IssuerSerial information is used by XML Security Library to find the 
+certificate in the certificate store on the machine. The X509Certificate entry
+is used to create a certificate no matter if this is already contained in the
+certificate store.
+Do not forget: Suggest to XML Security Library to provide a way to carry out 
+signature operations without verification of certificates. There is flag
+XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set in a 
+xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file src/nss/x509.c),
+which indicates such a possibility but it does not work.