[xmlsec] Signing a document with key and cert..
Marius Kjeldahl
marius@kjeldahl.net
Mon, 18 Nov 2002 18:13:21 +0100
This is a multi-part message in MIME format.
--------------030409070404070802000502
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Aleksey Sanin wrote:
> I would suggest you to take a look at it. xmlsec command line utility is
> the most complete example
> of all available functionality.
Ok, I just started looking at it, but I'm still struggling. First of all, I
signed my private key using the aleksey.crt certificate. By using openssl x509
-text -in privkey-cert.pem I am able to verify that it has been signed correctly
using the aleksey certificate:
Issuer: C=US, ST=California, L=Sunnyvale, O=http://www.aleksey.com/xmlsec,
CN=Aleksey Sanin/
Ok, fine. Then I further add a <X509Data> section in my message, and sign it using:
xmlsec sign --privkey privkey.pem,privkey-cert.pem org.xml > test.xml
Looking at the resulting document, I can verify that the X509Data still exist
and has been filled with certificate data.
However, if I now try to verify the resulting document with:
xmlsec verify --trusted aleksey.crt test.xml
I get the following message:
xmlSecSignedInfoRead (xmldsig.c:1493): error 51: invalid reference :
= Status:
== Signatures ok: 0
== Signatures fail: 1
== SignedInfo Ref ok: 0
== SignedInfo Ref fail: 1
== Manifest Ref ok: 0
== Manifest Ref fail: 0
FAIL
Error: operation failed
I have attached the resulting test.xml document in this email.
>>> So far I have not been able to find an example on how to use my key
>>> AND the cert. An old posting from Aleksey mentions using
>>> "xmlSecSimpleKeyMngrAddCertToKey, but I can find no such function. I
>>> have also tried loading the key first, then the cert into the same
>>> keysmngr using SimpleKeysMngrLoadPemKey followed by a
>>> SimpleKeysMngrLoadPemCert, but I am not sure whether this means that
>>> the cert will be used when signing (if I try to validate a document
>>> after loading the key and cert, it will still not be verified with
>>> the online verifier). I have also tried putting the key and cert into
>>> the same file and load it with *LoadPemKey, but still no luck.
>>
>>
> In xmlsec 0.0.10 you can do following:
> 1) load the key and get xmlSecKeyPtr pointer (for example, using
> xmlSecSimpleKeysMngrLoadPemKey
> function)
> 2) load cert and add it to key using xmlSecKeyReadPemCert function
> 3) Put <dsig:509Data> element into the <dsig:KeyInfo> to force
> writing cert into the key
>
> Instead of steps 1) and 2) you can use xmlSecSimpleKeysMngrLoadPkcs12()
> that loads key
> and cert(s) from pkcs12 file.
Since I am generating the documents dynamically, I guess I need to add the
509Data node programatically. The way I do this is:
cur = xmlSecKeyInfoAddKeyValue(keyInfoNode);
if(cur == NULL) {
fprintf(stderr,"Error: failed to add KeyValue node\n");
xmlSecSignatureDestroy(signatureNode);
return(NULL);
}
cur = xmlSecKeyInfoAddX509Data(keyInfoNode);
if(cur == NULL) {
fprintf(stderr,"Error: failed to add X509Data node\n");
xmlSecSignatureDestroy(signatureNode);
return(NULL);
}
The KeyValue appears in the resulting document, but the X509Data does not. I
suspect this has something to do with how I read the key and certificate. This
part of the application is not in C, but in a script language named lua, but it
should be straightforward to understand:
io.write ("-- loading key\n")
keyPtr = xmlSec.SimpleKeysMngrLoadPemKey (keysMngr, "privkey.pem", "")
if (not keyPtr) then
error ("ERROR")
end
io.write ("-- assigning cert\n")
if (not xmlSec.KeyReadPemCert (keyPtr, "privkey-cert.pem")) then
error ("ERROR")
end
I am not sure this is (or should be) enough to generate a signed document, but
from the output, something is obviously wrong since no 509Data section appears
in the generated document (differently from the output of trying to do the same
in xmlsec).
On another note, I've also tried reading the aleksey.key using:
keyPtr = xmlSec.SimpleKeysMngrLoadPemKey (keysMngr, "aleksey.key", "1234")
and this fails with xmlSec it is not able to read the library. If I use:
openssl rsa -text -in aleksey.key
and input "1234" I get a textdump of the key. I have also verified that the bug
is not in my lua binding of xmlsec (by outputting the parameters that I send to
the C function).
Any idea why loadpemkey fails with a password? I'm running everything on Gentoo
Linux if that matters.
--
Mvh, Marius Kjeldahl
--------------030409070404070802000502
Content-Type: text/xml;
name="test.xml"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="test.xml"
<?xml version="1.0"?>
<ThreeDSecure>
<Message>
<CRReq id="1111">
<Merchant>
<merID>MyMerchantID</merID>
<acqBIN>541306</acqBIN>
<password>MyPassword</password>
</Merchant>
<version>1.0.2</version>
</CRReq>
</Message>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="1111">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference Id="my-reference" URI="#xpointer(id('1111'))">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>h6WA52fEY8Cw5cg40KoYrDvD3i8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Dw9VqM50fYj4NPAtqjs5l2SKuIaPs1mKPlC3vTrig51cCG/6JfkJ/NQ+9JvBy+JT5AjaLCioCZ2nyzhwF4Y8obEj7FhucT6Emt6xIcvsH/HfYDEN1VMoHYL38NPh2SNNGUboZ5B0sOzjkJJ/ffZdUxSGvkBL07mz7X16pM1AQfg=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICTjCCAbcCAUEwDQYJKoZIhvcNAQEEBQAwgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxJjAkBgNVBAoTHWh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjMRYwFAYDVQQDEw1BbGVrc2V5IFNhbmluMSIwIAYJKoZIhvcNAQkBFhNhbGVrc2V5QGFsZWtzZXkuY29tMB4XDTAyMTExNzE0MzE1OFoXDTEyMTExNDE0MzE1OFowRDELMAkGA1UEBhMCTk8xDTALBgNVBAgTBE9zbG8xEjAQBgNVBAoTCVBheW5ldCBBUzESMBAGA1UEAxMJUGF5bmV0IEFTMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1dSBOg9Rxg8jCWreRrbBJnrjNyoDIR8E8pYL2n5fB1eRHxE7qRSlLCyu4ce7A8Cjw3KL+ARmhrlaXKFaS4rCRjp/ID3cGqX2v61JE/TuVMVrzZkVImGCvVbagAHBEDckBPozX9AATiw2aqpqn1ku/qaCTruMUW2KGGEr0WIuXeQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAJC++zdX0dR/t+1m4VlYYcHK6qDMAyAF4Z+68QjZnXzo0QVxxftst3JghhkDdoSNzFJlpu3Dwe45xYFjJtQkXx/Nzn9CbnPVpL/EzlSjb61+muR8tt1hDoG1rvOGQYbmXdYFiXu9/Mgnhd3wBrpNMzU21dwld4Sae/nyAdWN7Y0S</X509Certificate>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>
tXUgToPUcYPIwlq3ka2wSZ64zcqAyEfBPKWC9p+XwdXkR8RO6kUpSwsruHHuwPAo
8Nyi/gEZoa5WlyhWkuKwkY6fyA93Bql9r+tSRP07lTFa82ZFSJhgr1W2oABwRA3J
AT6M1/QAE4sNmqqap9ZLv6mgk67jFFtihhhK9FiLl3k=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</ThreeDSecure>
--------------030409070404070802000502--