<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><SPAN class=507473113-21112002><FONT face=Arial color=#0000ff size=2>The
keys manager does like/take the certs in the format you described. In fact, it
requires them in that format rather than the binary format. OpenSSL is quite
picky about this as the following snipped from some OpenSSL FAQ shows. I don't
recall exactly where I clipped this from but I saved it since it's a useful
explaination.</FONT></SPAN></DIV>
<DIV><SPAN class=507473113-21112002><FONT face=Arial color=#0000ff
size=2>Ferrell</FONT></SPAN></DIV>
<DIV><SPAN class=507473113-21112002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=507473113-21112002>
<P class=MsoNormal
style="MARGIN: 5pt 0in; mso-pagination: none; mso-layout-grid-align: none"><B><SPAN
style="FONT-FAMILY: Arial">Error: "no start line:pem_lib.c" or "no end
line:pem_lib.c"</SPAN></B><SPAN style="FONT-FAMILY: Arial">.<BR>Apache-SSL uses
a toolkit called OpenSSL (formerly SSleay), by Eric Young, for its security
routines. OpenSSL is very fussy about the format of certificate requests and
certificates. In particular, the BEGIN and END lines must look
like:<BR><BR>-----BEGIN CERTIFICATE-----<BR><BR>this is your certificate <BR>in
BASE64 encoding<BR>for easy transport<BR><BR>-----END
CERTIFICATE-----<BR><BR>Note, there are 5 dashes before and after the BEGIN and
END text, and they must form the first and last lines of the certificate (as
above). Be careful when you cut and pasted the certificate from the browser
window into a text editor to create the certificate text file. Make sure you
remove any trailing spaces, before and after the BEGIN or END lines, or you will
see this error. On UNIX, you may also need to get rid of CTRL-M characters.<BR
style="mso-special-character: line-break"><BR
style="mso-special-character: line-break"></SPAN></P></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Asbjørn Oskal
[mailto:asbjorn.oskal@welldiagnostics.com] <BR><B>Sent:</B> Thursday, November
21, 2002 5:15 AM<BR><B>To:</B> xmlsec@aleksey.com<BR><B>Subject:</B> [xmlsec]
Verifying a signature against a PEM certificate<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Hi!</FONT></DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2></FONT> </DIV></FONT></DIV>
<DIV>
<DIV><FONT face=Arial size=2>As I understand there are two ways to verify a
signature against public keys </FONT><FONT face=Arial size=2>not included in
the signature </FONT><FONT face=Arial size=2>itself.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Either load the public key and send it as a
parameter to the </FONT><FONT face=Arial size=2>xmlSecDSigValidate
function </FONT><FONT face=Arial size=2>or to add the public key to the
Keymanager and use the xmlSecKeyOriginKeyManager flag so that the </FONT><FONT
face=Arial size=2>key manager are searched for a key to use when
verifying.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have tried both but does not break
through.</FONT></DIV></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I could not find a way to load a usable (public)
xmlSecKey.</FONT></DIV>
<DIV><FONT face=Arial size=2>I tried to use xmlSecKeyReadPemCert and it read
the file but then the keydata in the xmlSecKeyPtr was NULL and the key was
rejected when I tried to use it.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I the tried to use the
xmlSecSimpleKeysMngrLoadPemKey but it </FONT><FONT face=Arial size=2>does not
accept PEM-files starting with</FONT></DIV>
<DIV><FONT face=Arial size=2>"-----BEGIN CERTIFICATE-----" which my
certificate dooes.</FONT></DIV>
<DIV><FONT face=Arial size=2>As I understand it is the PEM_read_PUBKEY openssl
function that rejects the file.</FONT></DIV>
<DIV><FONT face=Arial size=2>Do external certificates have to be on
</FONT><FONT face=Arial size=2>this format or </FONT><FONT face=Arial
size=2>are there any other ways to </FONT><FONT face=Arial size=2>load public
keys from PEM certificatefiles starting with "</FONT><FONT face=Arial
size=2><FONT face=Arial size=2>-----BEGIN
CERTIFICATE-----"?</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>:)</FONT></DIV></BLOCKQUOTE></BODY></HTML>
�