From dd929dd089abb86bc2206bc9749722682c70f3f1 Mon Sep 17 00:00:00 2001 From: Josh Heidenreich Date: Thu, 9 Feb 2012 13:42:42 +1030 Subject: Added and improved READMEs for modules whihc used to be in libs-extern --- libxmlsec/README | 34 ++++++++++++++++++++++++++++++++++ libxmlsec/readme.txt | 32 -------------------------------- 2 files changed, 34 insertions(+), 32 deletions(-) create mode 100644 libxmlsec/README delete mode 100644 libxmlsec/readme.txt (limited to 'libxmlsec') diff --git a/libxmlsec/README b/libxmlsec/README new file mode 100644 index 000000000000..2484bf2300e4 --- /dev/null +++ b/libxmlsec/README @@ -0,0 +1,34 @@ +XML signing, etc. From [http://www.aleksey.com/xmlsec/]. Heavily patched. + +The XML Security library has been modified, so that there is NO verification of +the certificate during sign or verification operation. On Windows this was done +in the function xmlSecMSCryptoX509StoreVerify (file src/mscrypto/x509vfy.c) and +on UNIX in xmlSecNssX509StoreVerify (file src/nss/x509vfy.c). + +The implementation creates certificates from all of the X509Data children, such +as X509IssuerSerial and X509Certificate and stores them in a certificate store +(see xmlsec/src/mscrypto/x509.c:xmlSecMSCryptoX509DataNodeRead). It must then +find the certificate containing the public key which is used for validation +within that store. This is done in xmlSecMSCryptoX509StoreVerify. This function +however only takes those certificates into account which can be validated. This +was changed by the patch xmlsec1-noverify.patch, which prevents this certificate +validation. + +xmlSecMSCryptoX509StoreVerify iterates over all certificates contained or +referenced in the X509Data elements and selects one which is no issuer of any of +the other certificates. This certificate is not necessarily the one which was +used for signing but it must contain the proper validation key, which is +sufficient to validate the signature. See +http://www.w3.org/TR/xmldsig-core/#sec-X509Data +for details. + +There is a flag XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set +in a xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file +src/nss/x509.c), which indicates that one can turn off the validation. However, +setting it will cause that the validation key is not found. If the flag is set, +then the key is not extracted from the certificate store which contains all the +certificates of the X509Data elements. In other words, the certificates which +are delivered within the XML signature are not used when looking for suitable +validation key. + + diff --git a/libxmlsec/readme.txt b/libxmlsec/readme.txt deleted file mode 100644 index 55c6976f51f3..000000000000 --- a/libxmlsec/readme.txt +++ /dev/null @@ -1,32 +0,0 @@ -The XML Security library has been modified, so that there is NO verification of -the certificate during sign or verification operation. On Windows this was done -in the function xmlSecMSCryptoX509StoreVerify (file src/mscrypto/x509vfy.c) and -on UNIX in xmlSecNssX509StoreVerify (file src/nss/x509vfy.c). - -The implementation creates certificates from all of the X509Data children, such -as X509IssuerSerial and X509Certificate and stores them in a certificate store -(see xmlsec/src/mscrypto/x509.c:xmlSecMSCryptoX509DataNodeRead). It must then -find the certificate containing the public key which is used for validation -within that store. This is done in xmlSecMSCryptoX509StoreVerify. This function -however only takes those certificates into account which can be validated. This -was changed by the patch xmlsec1-noverify.patch, which prevents this certificate -validation. - -xmlSecMSCryptoX509StoreVerify iterates over all certificates contained or -referenced in the X509Data elements and selects one which is no issuer of any of -the other certificates. This certificate is not necessarily the one which was -used for signing but it must contain the proper validation key, which is -sufficient to validate the signature. See -http://www.w3.org/TR/xmldsig-core/#sec-X509Data -for details. - -There is a flag XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set -in a xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file -src/nss/x509.c), which indicates that one can turn off the validation. However, -setting it will cause that the validation key is not found. If the flag is set, -then the key is not extracted from the certificate store which contains all the -certificates of the X509Data elements. In other words, the certificates which -are delivered within the XML signature are not used when looking for suitable -validation key. - - -- cgit