1The XML Security library has been modified, so that there is NO verification of 2the certificate during sign or verification operation. On Windows this was done 3in the function xmlSecMSCryptoX509StoreVerify (file src/mscrypto/x509vfy.c) and 4on UNIX in xmlSecNssX509StoreVerify (file src/nss/x509vfy.c). 5 6The implementation creates certificates from all of the X509Data children, such 7as X509IssuerSerial and X509Certificate and stores them in a certificate store 8(see xmlsec/src/mscrypto/x509.c:xmlSecMSCryptoX509DataNodeRead). It must then 9find the certificate containing the public key which is used for validation 10within that store. This is done in xmlSecMSCryptoX509StoreVerify. This function 11however only takes those certificates into account which can be validated. This 12was changed by the patch xmlsec1-noverify.patch, which prevents this certificate 13validation. 14 15xmlSecMSCryptoX509StoreVerify iterates over all certificates contained or 16referenced in the X509Data elements and selects one which is no issuer of any of 17the other certificates. This certificate is not necessarily the one which was 18used for signing but it must contain the proper validation key, which is 19sufficient to validate the signature. See 20http://www.w3.org/TR/xmldsig-core/#sec-X509Data 21for details. 22 23There is a flag XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set 24in a xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file 25src/nss/x509.c), which indicates that one can turn off the validation. However, 26setting it will cause that the validation key is not found. If the flag is set, 27then the key is not extracted from the certificate store which contains all the 28certificates of the X509Data elements. In other words, the certificates which 29are delivered within the XML signature are not used when looking for suitable 30validation key. 31 32 33