INTEGRATION: CWS xmlsec13 (1.1.2); FILE ADDED

2005/10/27 12:36:49 jl 1.1.2.3: #54495#
2005/10/25 14:42:11 jl 1.1.2.2: #54495#
2005/10/24 15:39:31 jl 1.1.2.1: #i54495#

1 files changed, 24 insertions, 0 deletions

diff --git a/libxmlsec/readme.txt b/libxmlsec/readme.txt
new file mode 100644
index 000000000000..6217aef908a7
--- /dev/null
+++ b/libxmlsec/readme.txt
@@ -0,0 +1,24 @@
+The XML Security library has been modified, so that there is NO verification
+of the certificate during sign or verification operation. On Windows this was 
+done in the function xmlSecMSCryptoX509StoreVerify (file 
+src/mscrypto/x509vfy.c) and on UNIX in xmlSecNssX509StoreVerify 
+(file src/nss/x509vfy.c).
+
+This change requires that the XML Signature contains in 
+Signature/KeyInfo/X509Data only entries which represent the same 
+certificate.
+The implementation creates certificates from all of the X509Data children
+(X509IssuerSerial, X509Certificate) and used to iterate over all certificates,
+verify them and return the first "good" certificate. Now the first one is 
+used.
+
+The X509IssuerSerial information is used by XML Security Library to find the 
+certificate in the certificate store on the machine. The X509Certificate entry
+is used to create a certificate no matter if this is already contained in the
+certificate store.
+
+Do not forget: Suggest to XML Security Library to provide a way to carry out 
+signature operations without verification of certificates. There is flag
+XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set in a 
+xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file src/nss/x509.c),
+which indicates such a possibility but it does not work.