1*cdf0e10cSrcweirThe XML Security library has been modified, so that there is NO verification of 2*cdf0e10cSrcweirthe certificate during sign or verification operation. On Windows this was done 3*cdf0e10cSrcweirin the function xmlSecMSCryptoX509StoreVerify (file src/mscrypto/x509vfy.c) and 4*cdf0e10cSrcweiron UNIX in xmlSecNssX509StoreVerify (file src/nss/x509vfy.c). 5*cdf0e10cSrcweir 6*cdf0e10cSrcweirThe implementation creates certificates from all of the X509Data children, such 7*cdf0e10cSrcweiras X509IssuerSerial and X509Certificate and stores them in a certificate store 8*cdf0e10cSrcweir(see xmlsec/src/mscrypto/x509.c:xmlSecMSCryptoX509DataNodeRead). It must then 9*cdf0e10cSrcweirfind the certificate containing the public key which is used for validation 10*cdf0e10cSrcweirwithin that store. This is done in xmlSecMSCryptoX509StoreVerify. This function 11*cdf0e10cSrcweirhowever only takes those certificates into account which can be validated. This 12*cdf0e10cSrcweirwas changed by the patch xmlsec1-noverify.patch, which prevents this certificate 13*cdf0e10cSrcweirvalidation. 14*cdf0e10cSrcweir 15*cdf0e10cSrcweirxmlSecMSCryptoX509StoreVerify iterates over all certificates contained or 16*cdf0e10cSrcweirreferenced in the X509Data elements and selects one which is no issuer of any of 17*cdf0e10cSrcweirthe other certificates. This certificate is not necessarily the one which was 18*cdf0e10cSrcweirused for signing but it must contain the proper validation key, which is 19*cdf0e10cSrcweirsufficient to validate the signature. See 20*cdf0e10cSrcweirhttp://www.w3.org/TR/xmldsig-core/#sec-X509Data 21*cdf0e10cSrcweirfor details. 22*cdf0e10cSrcweir 23*cdf0e10cSrcweirThere is a flag XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set 24*cdf0e10cSrcweirin a xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file 25*cdf0e10cSrcweirsrc/nss/x509.c), which indicates that one can turn off the validation. However, 26*cdf0e10cSrcweirsetting it will cause that the validation key is not found. If the flag is set, 27*cdf0e10cSrcweirthen the key is not extracted from the certificate store which contains all the 28*cdf0e10cSrcweircertificates of the X509Data elements. In other words, the certificates which 29*cdf0e10cSrcweirare delivered within the XML signature are not used when looking for suitable 30*cdf0e10cSrcweirvalidation key. 31*cdf0e10cSrcweir 32*cdf0e10cSrcweir 33