lsh123
commented
10 months ago See issue #558: the xmlsec 1.2.29 only verifies certificates in the XML file. However, the xmlsec 1.3.0 release added '--verify-keys' command line options to also verify keys / certs in the command line for openssl (current release is 1.3.1) and the support for other crypto libraries is already implemented and will be included in the next release.
Version used xmlsec1 --version xmlsec1 1.2.29 (openssl)
Platform used uname -mrs FreeBSD 13.0-RELEASE-p13 amd64
Command used: /usr/local/bin/xmlsec1 --verify --pubkey-cert-pem KVC.crt license.xml
Description
The KVC.crt is the certificate used for signing that has expired with the below dates Not Before: Dec 1 23:23:45 2011 GMT Not After : Nov 28 23:23:45 2021 GMT
The license file xml is still valid with below begin_date Tue Oct 11 15:40:18 2022 GMT end_date Mon Sep 18 15:39:58 2028 GMT
Expected Output We are expecting the xmlsec1 command to fail since the certificate used for signing has expired. We had tried different combinations with "--verification-time" but still no avail, its always passing even when signing certs are expired
Actual Output: /usr/local/bin/xmlsec1 --verify" --pubkey-cert-pem KVC.crt license.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0
Note: We are unable to attach the license files as they are enterprise specific that is chargeable and confidential.