<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Thanks for update. If you have a second, could you please try to run
openssl pkcs12 command on Mac <br>
to see the content of the <font class="Apple-style-span"
face="'courier new', monospace">usercert.p12 file?</font><br>
<br>
Aleksey<br>
<br>
On 2/23/11 11:54 AM, Nigel Ramsay wrote:
<blockquote
cite="mid:AANLkTi=1Nq34ZxYjQw4avRSqC0AvmYq47OwZLmfB86yX@mail.gmail.com"
type="cite">Hi Aleksey
<div><br>
</div>
<div>As I suggested, I tried it on Ubuntu - and it just worked. </div>
<div><br>
</div>
<div>It must have been a "mac thing". </div>
<div><br>
</div>
<div>I've now gone a repeated the exact same steps on both Ubuntu
10.4 and OSX 10.6 with differing results - the Ubuntu version
produced the required output, while the Mac version did not. </div>
<div><br>
</div>
<div>For those who are interested, these are the simple steps I
followed:</div>
<div><br>
</div>
<div><b>Mac</b></div>
<div><br>
</div>
<div><font class="Apple-style-span" face="'courier new',
monospace">port install xmlsec</font></div>
<div><font class="Apple-style-span" face="'courier new',
monospace">wget <a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip</a></font></div>
<div><font class="Apple-style-span" face="'courier new',
monospace">unzip keysncerts.zip</font></div>
<meta charset="utf-8">
<div><font class="Apple-style-span" face="'courier new',
monospace">wget <a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml</a></font></div>
<div><font class="Apple-style-span" face="'courier new',
monospace">xmlsec1 --sign --pkcs12 keysncerts/usercert.p12
--trusted-pem keysncerts/cacert.pem --pwd hello doc-x509.xml</font></div>
<div><br>
</div>
<div><b>Ubuntu</b></div>
<div><br>
</div>
<div><font class="Apple-style-span" face="'courier new',
monospace">apt-get install xmlsec1</font></div>
<div>
<meta charset="utf-8">
<div><font class="Apple-style-span" face="'courier new',
monospace">wget <a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip</a></font></div>
<div><font class="Apple-style-span" face="'courier new',
monospace">unzip keysncerts.zip</font></div>
<div><font class="Apple-style-span" face="'courier new',
monospace">wget <a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml</a></font></div>
<div><font class="Apple-style-span" face="'courier new',
monospace">xmlsec1 --sign --pkcs12 keysncerts/usercert.p12
--trusted-pem keysncerts/cacert.pem --pwd hello doc-x509.xml</font></div>
</div>
<div><br>
</div>
<div>
So anyway - thanks Aleksey for a very handy tool. There's
nothing else out there like it. Certainly nothing in "Ruby land"
where we do most of our work. </div>
<div><br>
</div>
<div>Cheers</div>
<div><br>
</div>
<div>
Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Thu, Feb 24, 2011 at 8:33 AM,
Aleksey Sanin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff"> Make sure that you
actually have *both* private key and certificate in the
usercert.p12<br>
<br>
Aleksey
<div>
<div class="h5"><br>
<br>
On 2/23/11 11:24 AM, Nigel Ramsay wrote: </div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div class="gmail_quote">Hi
<div><br>
</div>
<div>We are trying to sign an XMl document with an
X509 certificate, but any having problems
getting the X509Data node populated. </div>
<div><br>
</div>
<div>We are following Philippe Camacho's tutorial
here:</div>
<div><a moz-do-not-send="true"
href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7"
target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7</a><br
clear="all">
<br>
</div>
<div>The command that we use is copied from the
tutorial, and we are using the keysncerts.zip
file that contains the appropriate keys and
certificates. </div>
<div><br>
</div>
<div>The command (using v 1.2.16 on Mac OSX 10.6)
is: </div>
<div>xmlsec1 --sign --pkcs12 usercert.p12
--trusted-pem cacert.pem --pwd hello
doc-x509.xml</div>
<div><br>
</div>
<div>The contents of the doc-x509.xml is (the
document we are trying to sign):</div>
<div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div> <FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied
Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a moz-do-not-send="true"
href="http://www.aleksey.com/xmlsec/"
target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#"
target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"
/></div>
<div> </Transforms></div>
<div> <DigestMethod Algorithm=</div>
<div> "<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue></DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div> <SignatureValue /></div>
<div> <KeyInfo></div>
<div> <X509Data ></div>
<div> <X509SubjectName/></div>
<div> <X509IssuerSerial/></div>
<div> <X509Certificate/></div>
<div> </X509Data></div>
<div> <KeyValue /></div>
<div> </KeyInfo></div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>We get this output from running the command:</div>
<div><br>
</div>
<div>
<div><?xml version="1.0"?></div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div>
<FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied
Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a
moz-do-not-send="true"
href="http://www.aleksey.com/xmlsec/"
target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#"
target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod
Algorithm="<a moz-do-not-send="true"
href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod
Algorithm="<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform
Algorithm="<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"/></div>
<div> </Transforms></div>
<div> <DigestMethod
Algorithm="<a moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#sha1"
target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS</div>
<div>lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2</div>
<div>twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue></div>
<div> </div>
<div> <KeyInfo></div>
<div> <X509Data></div>
<div> </div>
<div> </div>
<div> </div>
<div> </X509Data></div>
<div> <KeyValue></div>
<div><RSAKeyValue></div>
<div><Modulus></div>
<div>vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd</div>
<div>aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL</div>
<div>GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=</div>
<div></Modulus></div>
<div><Exponent></div>
<div>AQAB</div>
<div></Exponent></div>
<div></RSAKeyValue></div>
<div></KeyValue></div>
<div> </KeyInfo></div>
<div> </div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>As you can see, the X509Data node is blank. </div>
<div><br>
</div>
<div>We have tried including the --print-xml-debug
option, and this shows a number of fields,
including:</div>
<div><br>
</div>
<div>
<div><X509Data></div>
<div><KeyCertificate></div>
<div><SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/emailAddress=<a moz-do-not-send="true"
href="mailto:jsmith@hello.com"
target="_blank">jsmith@hello.com</a></SubjectName></div>
<div><IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=<a moz-do-not-send="true"
href="mailto:lostilos@free.fr"
target="_blank">lostilos@free.fr</a></IssuerName></div>
<div><SerialNumber>11E</SerialNumber></div>
<div></KeyCertificate></div>
<div></X509Data></div>
</div>
<div><br>
</div>
<div>We have also tried these commands with our
own generated keys, and different XML files too.
We get the same result each time. </div>
<div> <br>
</div>
<div>I have searched this mailing list, and note
that Braja Biswal had a similar problem:</div>
<div><a moz-do-not-send="true"
href="http://www.aleksey.com/pipermail/xmlsec/2009/008672.html"
target="_blank">http://www.aleksey.com/pipermail/xmlsec/2009/008672.html</a></div>
<div><br>
</div>
<div>We would really appreciate any help, as we
seem to be out of ideas. Our last idea is to try
the same approach using Ubuntu - perhaps this is
"a Mac thing". We used MacPorts to install
Xmlsec.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a moz-do-not-send="true"
href="http://www.abletech.co.nz"
target="_blank">http://www.abletech.co.nz</a><br>
<a moz-do-not-send="true"
href="http://nigel.ramsay.org.nz"
target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
xmlsec mailing list
<a moz-do-not-send="true" href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>
<a moz-do-not-send="true" href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a moz-do-not-send="true"
href="http://www.abletech.co.nz" target="_blank">http://www.abletech.co.nz</a><br>
<a moz-do-not-send="true" href="http://nigel.ramsay.org.nz"
target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</blockquote>
</body>
</html>