1*cdf0e10cSrcweir--- misc/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-06-25 22:53:18.000000000 +0200 2*cdf0e10cSrcweir+++ misc/build/xmlsec1-1.2.14/src/mscrypto/x509vfy.c 2009-09-23 10:01:07.237316078 +0200 3*cdf0e10cSrcweir@@ -567,9 +567,16 @@ 4*cdf0e10cSrcweir CertFreeCertificateContext(nextCert); 5*cdf0e10cSrcweir } 6*cdf0e10cSrcweir 7*cdf0e10cSrcweir- if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { 8*cdf0e10cSrcweir- return(cert); 9*cdf0e10cSrcweir- } 10*cdf0e10cSrcweir+ /* JL: OpenOffice.org implements its own certificate verification routine. 11*cdf0e10cSrcweir+ The goal is to seperate validation of the signature 12*cdf0e10cSrcweir+ and the certificate. For example, OOo could show that the document signature is valid, 13*cdf0e10cSrcweir+ but the certificate could not be verified. If we do not prevent the verification of 14*cdf0e10cSrcweir+ the certificate by libxmlsec and the verification fails, then the XML signature will not be 15*cdf0e10cSrcweir+ verified. This would happen, for example, if the root certificate is not installed. 16*cdf0e10cSrcweir+ */ 17*cdf0e10cSrcweir+/* if((selected == 1) && xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) { */ 18*cdf0e10cSrcweir+ if (selected == 1) 19*cdf0e10cSrcweir+ return cert; 20*cdf0e10cSrcweir } 21*cdf0e10cSrcweir 22*cdf0e10cSrcweir return (NULL); 23*cdf0e10cSrcweir--- misc/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-23 10:06:52.989793254 +0200 24*cdf0e10cSrcweir+++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-23 10:05:03.183042205 +0200 25*cdf0e10cSrcweir@@ -191,13 +191,27 @@ 26*cdf0e10cSrcweir continue; 27*cdf0e10cSrcweir } 28*cdf0e10cSrcweir 29*cdf0e10cSrcweir- status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 30*cdf0e10cSrcweir- cert, PR_FALSE, 31*cdf0e10cSrcweir- (SECCertificateUsage)0, 32*cdf0e10cSrcweir- timeboundary , NULL, NULL, NULL); 33*cdf0e10cSrcweir- if (status == SECSuccess) { 34*cdf0e10cSrcweir- break; 35*cdf0e10cSrcweir- } 36*cdf0e10cSrcweir+ 37*cdf0e10cSrcweir+ /* 38*cdf0e10cSrcweir+ JL: OpenOffice.org implements its own certificate verification routine. 39*cdf0e10cSrcweir+ The goal is to seperate validation of the signature 40*cdf0e10cSrcweir+ and the certificate. For example, OOo could show that the document signature is valid, 41*cdf0e10cSrcweir+ but the certificate could not be verified. If we do not prevent the verification of 42*cdf0e10cSrcweir+ the certificate by libxmlsec and the verification fails, then the XML signature may not be 43*cdf0e10cSrcweir+ verified. This would happen, for example, if the root certificate is not installed. 44*cdf0e10cSrcweir+ 45*cdf0e10cSrcweir+ status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 46*cdf0e10cSrcweir+ cert, PR_FALSE, 47*cdf0e10cSrcweir+ (SECCertificateUsage)0, 48*cdf0e10cSrcweir+ timeboundary , NULL, NULL, NULL); 49*cdf0e10cSrcweir+ if (status == SECSuccess) { 50*cdf0e10cSrcweir+ break; 51*cdf0e10cSrcweir+ } 52*cdf0e10cSrcweir+ 53*cdf0e10cSrcweir+ */ 54*cdf0e10cSrcweir+ status = SECSuccess; 55*cdf0e10cSrcweir+ break; 56*cdf0e10cSrcweir+ 57*cdf0e10cSrcweir } 58*cdf0e10cSrcweir 59*cdf0e10cSrcweir if (status == SECSuccess) { 60