Best debug logging to enable
Cantor, Scott
cantor.2 at osu.edu
Thu Sep 6 13:26:44 EDT 2018
Just turn off the PKIX engine altogether (you wouldn't even have it on unless it's a V2 SP or an old config). With that off, the KeyInfo simply doesn't matter and you have a simple answer, either the metadata's wrong or their code is.
As it is, you still know that. If it falls into PKIX then by definition the metadata did not work, but that means nothing when you can't trust the signer's code to be correctly implemented. All you can do is narrow the options and then get ready for an endless argument with a vendor.
I would put all of the certificates they embed into the metadata for testing, in separate KeyDescriptors, and then you know with no doubt that none of them work and they have a bug.
-- Scott
More information about the users
mailing list