[xmlsec] Verifying a signature against a PEM certificate

Moultrie, Ferrell (ISSAtlanta) FMoultrie@iss.net
Thu, 21 Nov 2002 08:33:29 -0500


This is a multi-part message in MIME format.

------_=_NextPart_001_01C29162.94195DF5
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

The keys manager does like/take the certs in the format you described. =
In fact, it requires them in that format rather than the binary format. =
OpenSSL is quite picky about this as the following snipped from some =
OpenSSL FAQ shows. I don't recall exactly where I clipped this from but =
I saved it since it's a useful explaination.
Ferrell
=20
Error: "no start line:pem_lib.c" or "no end line:pem_lib.c".
Apache-SSL uses a toolkit called OpenSSL (formerly SSleay), by Eric =
Young, for its security routines. OpenSSL is very fussy about the format =
of certificate requests and certificates. In particular, the BEGIN and =
END lines must look like:

-----BEGIN CERTIFICATE-----

this is your certificate=20
in BASE64 encoding
for easy transport

-----END CERTIFICATE-----

Note, there are 5 dashes before and after the BEGIN and END text, and =
they must form the first and last lines of the certificate (as above). =
Be careful when you cut and pasted the certificate from the browser =
window into a text editor to create the certificate text file. Make sure =
you remove any trailing spaces, before and after the BEGIN or END lines, =
or you will see this error. On UNIX, you may also need to get rid of =
CTRL-M characters.



	-----Original Message-----
	From: Asbj=F8rn Oskal [mailto:asbjorn.oskal@welldiagnostics.com]=20
	Sent: Thursday, November 21, 2002 5:15 AM
	To: xmlsec@aleksey.com
	Subject: [xmlsec] Verifying a signature against a PEM certificate
=09
=09
	Hi!
=09
	=20
	As I understand there are two ways to verify a signature against public =
keys not included in the signature itself.
	=20
	Either load the public key and send it as a parameter to the =
xmlSecDSigValidate function or to add the public key to the Keymanager =
and use the xmlSecKeyOriginKeyManager flag so that the key manager are =
searched for a key to use when verifying.
	=20
	I have tried both but does not break through.
	=20
	I could not find a way to load a usable (public) xmlSecKey.
	I tried to use xmlSecKeyReadPemCert and it read the file but then the =
keydata in the xmlSecKeyPtr was NULL and the key was rejected when I =
tried to use it.
	=20
	I the tried to use the xmlSecSimpleKeysMngrLoadPemKey but it does not =
accept PEM-files starting with
	"-----BEGIN CERTIFICATE-----" which my certificate dooes.
	As I understand it is the PEM_read_PUBKEY openssl function that rejects =
the file.
	Do external certificates have to be on this format or are there any =
other ways to load public keys from PEM certificatefiles starting with =
"-----BEGIN CERTIFICATE-----"?
	=20
	:)


------_=_NextPart_001_01C29162.94195DF5
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><SPAN class=3D507473113-21112002><FONT face=3DArial color=3D#0000ff =
size=3D2>The=20
keys manager does like/take the certs in the format you described. In =
fact, it=20
requires them in that format rather than the binary format. OpenSSL is =
quite=20
picky about this as the following snipped from some OpenSSL FAQ shows. I =
don't=20
recall exactly where I clipped this from but I saved it since it's a =
useful=20
explaination.</FONT></SPAN></DIV>
<DIV><SPAN class=3D507473113-21112002><FONT face=3DArial color=3D#0000ff =

size=3D2>Ferrell</FONT></SPAN></DIV>
<DIV><SPAN class=3D507473113-21112002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D507473113-21112002>
<P class=3DMsoNormal=20
style=3D"MARGIN: 5pt 0in; mso-pagination: none; mso-layout-grid-align: =
none"><B><SPAN=20
style=3D"FONT-FAMILY: Arial">Error: "no start line:pem_lib.c" or "no end =

line:pem_lib.c"</SPAN></B><SPAN style=3D"FONT-FAMILY: =
Arial">.<BR>Apache-SSL uses=20
a toolkit called OpenSSL (formerly SSleay), by Eric Young, for its =
security=20
routines. OpenSSL is very fussy about the format of certificate requests =
and=20
certificates. In particular, the BEGIN and END lines must look=20
like:<BR><BR>-----BEGIN CERTIFICATE-----<BR><BR>this is your certificate =
<BR>in=20
BASE64 encoding<BR>for easy transport<BR><BR>-----END=20
CERTIFICATE-----<BR><BR>Note, there are 5 dashes before and after the =
BEGIN and=20
END text, and they must form the first and last lines of the certificate =
(as=20
above). Be careful when you cut and pasted the certificate from the =
browser=20
window into a text editor to create the certificate text file. Make sure =
you=20
remove any trailing spaces, before and after the BEGIN or END lines, or =
you will=20
see this error. On UNIX, you may also need to get rid of CTRL-M =
characters.<BR=20
style=3D"mso-special-character: line-break"><BR=20
style=3D"mso-special-character: line-break"></SPAN></P></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B> =
Asbj=F8rn Oskal=20
  [mailto:asbjorn.oskal@welldiagnostics.com] <BR><B>Sent:</B> Thursday, =
November=20
  21, 2002 5:15 AM<BR><B>To:</B> xmlsec@aleksey.com<BR><B>Subject:</B> =
[xmlsec]=20
  Verifying a signature against a PEM certificate<BR><BR></FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>Hi!</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></FONT></DIV>
  <DIV>
  <DIV><FONT face=3DArial size=3D2>As I understand there are two ways to =
verify a=20
  signature against public keys </FONT><FONT face=3DArial size=3D2>not =
included in=20
  the signature </FONT><FONT face=3DArial size=3D2>itself.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>Either load the public key and send =
it as a=20
  parameter to the </FONT><FONT face=3DArial size=3D2>xmlSecDSigValidate =

  function&nbsp;</FONT><FONT face=3DArial size=3D2>or to add the public =
key to the=20
  Keymanager and use the xmlSecKeyOriginKeyManager flag so that the =
</FONT><FONT=20
  face=3DArial size=3D2>key manager are searched for a key to use when=20
  verifying.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>I have tried both but does not break=20
  through.</FONT></DIV></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>I could not find a way to load a =
usable (public)=20
  xmlSecKey.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>I tried to use xmlSecKeyReadPemCert =
and it read=20
  the file but then the keydata in the xmlSecKeyPtr was NULL and the key =
was=20
  rejected when I tried to use it.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>I the tried to use the=20
  xmlSecSimpleKeysMngrLoadPemKey but it </FONT><FONT face=3DArial =
size=3D2>does not=20
  accept PEM-files starting with</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>"-----BEGIN CERTIFICATE-----" which =
my=20
  certificate dooes.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>As I understand it is the =
PEM_read_PUBKEY openssl=20
  function that rejects the file.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>Do external certificates have to be =
on=20
  </FONT><FONT face=3DArial size=3D2>this format or </FONT><FONT =
face=3DArial=20
  size=3D2>are there any other ways to </FONT><FONT face=3DArial =
size=3D2>load public=20
  keys from PEM certificatefiles starting with&nbsp;"</FONT><FONT =
face=3DArial=20
  size=3D2><FONT face=3DArial size=3D2>-----BEGIN=20
  CERTIFICATE-----"?</FONT></FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial =
size=3D2>:)</FONT></DIV></BLOCKQUOTE></BODY></HTML>
=00
------_=_NextPart_001_01C29162.94195DF5--