<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Make sure that you actually have *both* private key and certificate
in the usercert.p12<br>
<br>
Aleksey<br>
<br>
On 2/23/11 11:24 AM, Nigel Ramsay wrote:
<blockquote
cite="mid:AANLkTi=w8RTQZXNrcnH7cj2AtgTOBY+LecJF3yafvMTR@mail.gmail.com"
type="cite">
<div class="gmail_quote">Hi
<div><br>
</div>
<div>We are trying to sign an XMl document with an X509
certificate, but any having problems getting the X509Data node
populated. </div>
<div><br>
</div>
<div>We are following Philippe Camacho's tutorial here:</div>
<div><a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7</a><br
clear="all">
<br>
</div>
<div>The command that we use is copied from the tutorial, and we
are using the keysncerts.zip file that contains the
appropriate keys and certificates. </div>
<div><br>
</div>
<div>The command (using v 1.2.16 on Mac OSX 10.6) is: </div>
<div>xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem
cacert.pem --pwd hello doc-x509.xml</div>
<div><br>
</div>
<div>The contents of the doc-x509.xml is (the document we are
trying to sign):</div>
<div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div> <FirstName>Bruce</FirstName></div>
<div> <LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a moz-do-not-send="true"
href="http://www.aleksey.com/xmlsec/" target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"
/></div>
<div> </Transforms></div>
<div> <DigestMethod Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue></DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div> <SignatureValue /></div>
<div> <KeyInfo></div>
<div> <X509Data ></div>
<div> <X509SubjectName/></div>
<div> <X509IssuerSerial/></div>
<div> <X509Certificate/></div>
<div> </X509Data></div>
<div> <KeyValue /></div>
<div> </KeyInfo></div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>We get this output from running the command:</div>
<div><br>
</div>
<div>
<div><?xml version="1.0"?></div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div> <FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a moz-do-not-send="true"
href="http://www.aleksey.com/xmlsec/" target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"/></div>
<div> </Transforms></div>
<div> <DigestMethod Algorithm="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS</div>
<div>lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2</div>
<div>twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue></div>
<div> </div>
<div> <KeyInfo></div>
<div> <X509Data></div>
<div> </div>
<div> </div>
<div> </div>
<div> </X509Data></div>
<div> <KeyValue></div>
<div><RSAKeyValue></div>
<div><Modulus></div>
<div>vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd</div>
<div>aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL</div>
<div>GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=</div>
<div></Modulus></div>
<div><Exponent></div>
<div>AQAB</div>
<div></Exponent></div>
<div></RSAKeyValue></div>
<div></KeyValue></div>
<div> </KeyInfo></div>
<div> </div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>As you can see, the X509Data node is blank. </div>
<div><br>
</div>
<div>We have tried including the --print-xml-debug option, and
this shows a number of fields, including:</div>
<div><br>
</div>
<div>
<div><X509Data></div>
<div><KeyCertificate></div>
<div><SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/emailAddress=<a moz-do-not-send="true"
href="mailto:jsmith@hello.com" target="_blank">jsmith@hello.com</a></SubjectName></div>
<div><IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=<a moz-do-not-send="true"
href="mailto:lostilos@free.fr" target="_blank">lostilos@free.fr</a></IssuerName></div>
<div><SerialNumber>11E</SerialNumber></div>
<div></KeyCertificate></div>
<div></X509Data></div>
</div>
<div><br>
</div>
<div>We have also tried these commands with our own generated
keys, and different XML files too. We get the same result each
time. </div>
<div>
<br>
</div>
<div>I have searched this mailing list, and note that Braja
Biswal had a similar problem:</div>
<div><a moz-do-not-send="true"
href="http://www.aleksey.com/pipermail/xmlsec/2009/008672.html"
target="_blank">http://www.aleksey.com/pipermail/xmlsec/2009/008672.html</a></div>
<div><br>
</div>
<div>We would really appreciate any help, as we seem to be out
of ideas. Our last idea is to try the same approach using
Ubuntu - perhaps this is "a Mac thing". We used MacPorts to
install Xmlsec.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a moz-do-not-send="true"
href="http://www.abletech.co.nz" target="_blank">http://www.abletech.co.nz</a><br>
<a moz-do-not-send="true"
href="http://nigel.ramsay.org.nz" target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</body>
</html>