Rob Percival

Partial duplicate of #39.

https://www.w3.org/TR/xmldsig-core1/#sec-X509Data: > The X509IssuerSerial element has been deprecated in favor of the newly-introduced dsig11:X509Digest element. The XML Schema type of the serial number was defined to be an integer, and...

I've given it a try but ran into this bug in OpenSSL when using self-signed certificates: https://github.com/openssl/openssl/issues/1418. ``` lib/python3.7/site-packages/signxml/util/__init__.py:216: in _add_cert_to_store X509StoreContext(store, cert).verify_certificate() lib/python3.7/site-packages/OpenSSL/crypto.py:1766: in verify_certificate raise self._exception_from_context() E OpenSSL.crypto.X509StoreContextError:...

A nit about the API was that I can pass a `crypto.X509` object into `verify()`, but I can't return one from `cert_resolver`. This is easy to workaround, since I can...

I've just run into issue #81. While I can use `validate_schema=False` to workaround this, do you know how much risk, if any, this carries @kislyuk?

Have you considered a different schema validator? It seems the reason that lxml rejects serial numbers longer than 18 digits is because it's a "minimally-conforming" schema validator, and so isn't...

@kislyuk I've just discovered that `cert_resolver` is given the `X509Digest` content, but not the `Algorithm` attribute that goes with it. Without knowing which digest algorithm was used, it's rather expensive...

There are [5 digest algorithms allowed by the XMLDSig standard](https://www.w3.org/TR/xmldsig-core1/#sec-MessageDigests). The signer can use any of these, but the verifier would have to try *all* of them with every known...

This is a highly speculative PR to see what fails on CI when this code is removed.

@kszmigiel, are you still intending to fix this or should it be unassigned?