<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Thanks. Seems like both key and cert are there. Not sure what went
wrong...<br>
<br>
On 2/23/11 12:43 PM, Nigel Ramsay wrote:
<blockquote
cite="mid:AANLkTik8nd4g35180RtgsJ+D3_De_jHb=XzLxGef50Lr@mail.gmail.com"
type="cite">Sure...
<div><br>
</div>
<div>Not entirely sure on the exact syntax to use. This is what we
got:</div>
<div><br>
</div>
<div>
<div>openssl pkcs12 -info -in keysncerts/usercert.p12 </div>
<div><br>
</div>
<div>Enter Import Password:</div>
<div>MAC Iteration 2048</div>
<div>MAC verified OK</div>
<div>PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration
2048</div>
<div>Certificate bag</div>
<div>Bag Attributes</div>
<div> localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2
EC 8D F0 F7 82 8C </div>
<div>subject=/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/emailAddress=<a moz-do-not-send="true"
href="mailto:jsmith@hello.com" target="_blank">jsmith@hello.com</a></div>
<div>issuer=/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=<a moz-do-not-send="true"
href="mailto:lostilos@free.fr" target="_blank">lostilos@free.fr</a></div>
<div>-----BEGIN CERTIFICATE-----</div>
<div>MIIC6DCCAlGgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwgYcxCzAJBgNVBAYTAkNM</div>
<div>MQswCQYDVQQIEwJSTTERMA8GA1UEBxMIU2FudGlhZ28xHDAaBgNVBAoTE2xpdHRs</div>
<div>ZWNyeXB0b2dyYXBoZXIxGTAXBgNVBAMTEFBoaWxpcHBlIENhbWFjaG8xHzAdBgkq</div>
<div>hkiG9w0BCQEWEGxvc3RpbG9zQGZyZWUuZnIwHhcNMDgwMTE5MTI1MjM3WhcNMDkw</div>
<div>MTE4MTI1MjM3WjBuMQswCQYDVQQGEwJDTDELMAkGA1UECBMCUk0xHDAaBgNVBAoT</div>
<div>E2xpdHRsZWNyeXB0b2dyYXBoZXIxEzARBgNVBAMTCkpvaG4gU21pdGgxHzAdBgkq</div>
<div>hkiG9w0BCQEWEGpzbWl0aEBoZWxsby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A</div>
<div>MIGJAoGBALwShIDVij20XFC8V3Bs8Xn6b3uRa8rnPgkMCc92LoxNc/IzCriw9gu9</div>
<div>NGps/bwanWgZbK5va46Y27axFhHo2uNk9ZE2lj0UQegFdBGlEIOt9hlpHFSqTnmX</div>
<div>AKraSHd2yxhVe+JqGIrtyTQluWVNPOCKXd8zubFgWqlUMXMrn8JzAgMBAAGjezB5</div>
<div>MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl</div>
<div>cnRpZmljYXRlMB0GA1UdDgQWBBQ08GE4h2jHJZOGkDUyQE9EEPMqlDAfBgNVHSME</div>
<div>GDAWgBT+y1YLKOsq6cec6uU61UxVhNvUajANBgkqhkiG9w0BAQUFAAOBgQAVZMDa</div>
<div>KVhvX2qOMlcjX7i6DESF7SDyEbjfPk+bYIDm+al45lmzixkFeYUUQcFJMG0s152A</div>
<div>kFd/fTVMfz/j37OQYxUYwwZQlMW3dVnC+CvjtMlSrReeHThhQFQpO16i21aDitON</div>
<div>1TFsvO8T+21YGB4kne44vry6O4JJPy8EZBsfbw==</div>
<div>-----END CERTIFICATE-----</div>
<div>PKCS7 Data</div>
<div>Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC,
Iteration 2048</div>
<div>Bag Attributes</div>
<div> localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2
EC 8D F0 F7 82 8C </div>
<div>Key Attributes: <No Attributes></div>
<div><br>
</div>
<div>It then prompts for a password:</div>
<div><br>
</div>
<div>Enter PEM pass phrase:</div>
<div>
<div>Verifying - Enter PEM pass phrase:</div>
<div><br>
</div>
<div>
I entered "password" and got this...</div>
<div><br>
</div>
<div>-----BEGIN RSA PRIVATE KEY-----</div>
<div>Proc-Type: 4,ENCRYPTED</div>
<div>DEK-Info: DES-EDE3-CBC,058FCED319755EBF</div>
<div><br>
</div>
<div>rlRk7UJFjOmpFIQsb0D4g7nHKuKy5spYUWfOEjM9wBNR97/4lW7nNmNsEGWpg8ZB</div>
<div>PbPY5WDxF2XOO9FLnBWD7SZvBOD7aaKiPX0bfiwutvVotlyvYDgkBJJT1H8wwQbd</div>
<div>7/yM3pqowc22JpLBiCO2Bs7wHz+xHGZvLW7H6J1VZYvqqFdGoN6jbcyLadZ3U+rn</div>
<div>HeqsKRpSTqPT7wPr7SQA0SjcV+QW1TtKgozoYdBqXh3YHGzGwpYA1pGZogZZSSE8</div>
<div>6rOPpV0k/3jJE19FI2A39kDZLlDnOfcPu44Qi7e7J+xmN7h+waceXcIqhZY/QDVq</div>
<div>slfX41/7BjQfxQPeXIJ6gNt3GbP0mJF42Rra6yy2oN3xx7zIBRALmplZIWvI2HTJ</div>
<div>m6Lb6o1/Ag2C8vGKgxM1dL2EUXFeZVEl/clPWZHJ49arPgAt7UpgAFM1GFdANNkB</div>
<div>O9O87LPJxE+W7hR7otpkr0UVHUOeOBaFd70POTtPf4efdXcAt5+QCRj7EoyRRbIk</div>
<div>xueW3WUXibAYiDcAyoLRlPj+OaopbdAy99efCM4o0oIHEI9tWN7UGdCVV/8+LZIs</div>
<div>CEkflcUtSQIe0q8eC+RhfDvjL9MM32znz2vSvqa3s9jhXfedDzAKESv808NQy+mW</div>
<div>LkSumr81qs5pSeT7MU9iqYylyBrRT1rCVHq7ahaJ8Xg5AiwP06bkLuz7GJ6zmcvl</div>
<div>Qw7PByfHfOE3dpyb2KBg9WwMycud+y+gNKFBQVVCqlEMuU4zguXkpReHWld9F1VX</div>
<div>/3W3Ts/bBOWJ+c1O0/RGVgb8etWlgz0fme+urXq7zZPjXWVJehrAwA==</div>
<div>
-----END RSA PRIVATE KEY-----</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<br>
<div class="gmail_quote">On Thu, Feb 24, 2011 at 8:57 AM,
Aleksey Sanin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff"> Thanks for update. If
you have a second, could you please try to run openssl
pkcs12 command on Mac <br>
to see the content of the <font face="'courier new',
monospace">usercert.p12 file?</font><br>
<font color="#888888"> <br>
Aleksey</font>
<div>
<div><br>
<br>
On 2/23/11 11:54 AM, Nigel Ramsay wrote:
<blockquote type="cite">Hi Aleksey
<div><br>
</div>
<div>As I suggested, I tried it on Ubuntu - and it
just worked. </div>
<div><br>
</div>
<div>It must have been a "mac thing". </div>
<div><br>
</div>
<div>I've now gone a repeated the exact same steps
on both Ubuntu 10.4 and OSX 10.6 with differing
results - the Ubuntu version produced the required
output, while the Mac version did not. </div>
<div><br>
</div>
<div>For those who are interested, these are the
simple steps I followed:</div>
<div><br>
</div>
<div><b>Mac</b></div>
<div><br>
</div>
<div><font face="'courier new', monospace">port
install xmlsec</font></div>
<div><font face="'courier new', monospace">wget <a
moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip</a></font></div>
<div><font face="'courier new', monospace">unzip keysncerts.zip</font></div>
<div><font face="'courier new', monospace">wget <a
moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml</a></font></div>
<div><font face="'courier new', monospace">xmlsec1
--sign --pkcs12 keysncerts/usercert.p12
--trusted-pem keysncerts/cacert.pem --pwd hello
doc-x509.xml</font></div>
<div><br>
</div>
<div><b>Ubuntu</b></div>
<div><br>
</div>
<div><font face="'courier new', monospace">apt-get
install xmlsec1</font></div>
<div>
<div><font face="'courier new', monospace">wget <a
moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip</a></font></div>
<div><font face="'courier new', monospace">unzip keysncerts.zip</font></div>
<div><font face="'courier new', monospace">wget <a
moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml</a></font></div>
<div><font face="'courier new', monospace">xmlsec1
--sign --pkcs12 keysncerts/usercert.p12
--trusted-pem keysncerts/cacert.pem --pwd
hello doc-x509.xml</font></div>
</div>
<div><br>
</div>
<div> So anyway - thanks Aleksey for a very handy
tool. There's nothing else out there like it.
Certainly nothing in "Ruby land" where we do most
of our work. </div>
<div><br>
</div>
<div>Cheers</div>
<div><br>
</div>
<div> Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Thu, Feb 24, 2011 at
8:33 AM, Aleksey Sanin <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:aleksey@aleksey.com"
target="_blank">aleksey@aleksey.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff"> Make
sure that you actually have *both* private
key and certificate in the usercert.p12<br>
<br>
Aleksey
<div>
<div><br>
<br>
On 2/23/11 11:24 AM, Nigel Ramsay wrote:
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div class="gmail_quote">Hi
<div><br>
</div>
<div>We are trying to sign an XMl
document with an X509 certificate,
but any having problems getting
the X509Data node populated. </div>
<div><br>
</div>
<div>We are following Philippe
Camacho's tutorial here:</div>
<div><a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7</a><br
clear="all">
<br>
</div>
<div>The command that we use is
copied from the tutorial, and we
are using the keysncerts.zip file
that contains the appropriate keys
and certificates. </div>
<div><br>
</div>
<div>The command (using v 1.2.16 on
Mac OSX 10.6) is: </div>
<div>xmlsec1 --sign --pkcs12
usercert.p12 --trusted-pem
cacert.pem --pwd hello
doc-x509.xml</div>
<div><br>
</div>
<div>The contents of the
doc-x509.xml is (the document we
are trying to sign):</div>
<div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div>
<FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied
Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a
moz-do-not-send="true"
href="http://www.aleksey.com/xmlsec/"
target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#"
target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod
Algorithm=</div>
<div> "<a
moz-do-not-send="true"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod
Algorithm=</div>
<div> "<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform Algorithm=</div>
<div> "<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"
/></div>
<div> </Transforms></div>
<div> <DigestMethod
Algorithm=</div>
<div> "<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue></DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div> <SignatureValue /></div>
<div> <KeyInfo></div>
<div> <X509Data ></div>
<div> <X509SubjectName/></div>
<div> <X509IssuerSerial/></div>
<div> <X509Certificate/></div>
<div> </X509Data></div>
<div> <KeyValue /></div>
<div> </KeyInfo></div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>We get this output from running
the command:</div>
<div><br>
</div>
<div>
<div><?xml version="1.0"?></div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div>
<FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied
Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div>
<Title>XMLSec</Title></div>
<div> <Url><a
moz-do-not-send="true"
href="http://www.aleksey.com/xmlsec/"
target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#"
target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div>
<CanonicalizationMethod
Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div>
<SignatureMethod Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference
URI=""></div>
<div>
<Transforms></div>
<div>
<Transform Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"/></div>
<div>
</Transforms></div>
<div>
<DigestMethod Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue></div>
<div>
</Reference></div>
<div> </SignedInfo></div>
<div>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS</div>
<div>lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2</div>
<div>twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue></div>
<div> </div>
<div> <KeyInfo></div>
<div> <X509Data></div>
<div> </div>
<div> </div>
<div> </div>
<div> </X509Data></div>
<div> <KeyValue></div>
<div><RSAKeyValue></div>
<div><Modulus></div>
<div>vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd</div>
<div>aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL</div>
<div>GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=</div>
<div></Modulus></div>
<div><Exponent></div>
<div>AQAB</div>
<div></Exponent></div>
<div></RSAKeyValue></div>
<div></KeyValue></div>
<div> </KeyInfo></div>
<div> </div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>As you can see, the X509Data
node is blank. </div>
<div><br>
</div>
<div>We have tried including the
--print-xml-debug option, and this
shows a number of fields,
including:</div>
<div><br>
</div>
<div>
<div><X509Data></div>
<div><KeyCertificate></div>
<div><SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/emailAddress=<a
moz-do-not-send="true"
href="mailto:jsmith@hello.com"
target="_blank">jsmith@hello.com</a></SubjectName></div>
<div><IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=<a
moz-do-not-send="true"
href="mailto:lostilos@free.fr"
target="_blank">lostilos@free.fr</a></IssuerName></div>
<div><SerialNumber>11E</SerialNumber></div>
<div></KeyCertificate></div>
<div></X509Data></div>
</div>
<div><br>
</div>
<div>We have also tried these
commands with our own generated
keys, and different XML files too.
We get the same result each time. </div>
<div> <br>
</div>
<div>I have searched this mailing
list, and note that Braja Biswal
had a similar problem:</div>
<div><a moz-do-not-send="true"
href="http://www.aleksey.com/pipermail/xmlsec/2009/008672.html"
target="_blank">http://www.aleksey.com/pipermail/xmlsec/2009/008672.html</a></div>
<div><br>
</div>
<div>We would really appreciate any
help, as we seem to be out of
ideas. Our last idea is to try the
same approach using Ubuntu -
perhaps this is "a Mac thing". We
used MacPorts to install Xmlsec.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a moz-do-not-send="true"
href="http://www.abletech.co.nz"
target="_blank">http://www.abletech.co.nz</a><br>
<a moz-do-not-send="true"
href="http://nigel.ramsay.org.nz"
target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
xmlsec mailing list
<a moz-do-not-send="true" href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>
<a moz-do-not-send="true" href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a moz-do-not-send="true"
href="http://www.abletech.co.nz"
target="_blank">http://www.abletech.co.nz</a><br>
<a moz-do-not-send="true"
href="http://nigel.ramsay.org.nz"
target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a moz-do-not-send="true"
href="http://www.abletech.co.nz" target="_blank">http://www.abletech.co.nz</a><br>
<a moz-do-not-send="true" href="http://nigel.ramsay.org.nz"
target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</body>
</html>