[xmlsec] Verifying a signature against a PEM certificate
Moultrie, Ferrell (ISSAtlanta)
FMoultrie@iss.net
Thu, 21 Nov 2002 08:33:29 -0500
This is a multi-part message in MIME format.
------_=_NextPart_001_01C29162.94195DF5
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The keys manager does like/take the certs in the format you described. =
In fact, it requires them in that format rather than the binary format. =
OpenSSL is quite picky about this as the following snipped from some =
OpenSSL FAQ shows. I don't recall exactly where I clipped this from but =
I saved it since it's a useful explaination.
Ferrell
=20
Error: "no start line:pem_lib.c" or "no end line:pem_lib.c".
Apache-SSL uses a toolkit called OpenSSL (formerly SSleay), by Eric =
Young, for its security routines. OpenSSL is very fussy about the format =
of certificate requests and certificates. In particular, the BEGIN and =
END lines must look like:
-----BEGIN CERTIFICATE-----
this is your certificate=20
in BASE64 encoding
for easy transport
-----END CERTIFICATE-----
Note, there are 5 dashes before and after the BEGIN and END text, and =
they must form the first and last lines of the certificate (as above). =
Be careful when you cut and pasted the certificate from the browser =
window into a text editor to create the certificate text file. Make sure =
you remove any trailing spaces, before and after the BEGIN or END lines, =
or you will see this error. On UNIX, you may also need to get rid of =
CTRL-M characters.
-----Original Message-----
From: Asbj=F8rn Oskal [mailto:asbjorn.oskal@welldiagnostics.com]=20
Sent: Thursday, November 21, 2002 5:15 AM
To: xmlsec@aleksey.com
Subject: [xmlsec] Verifying a signature against a PEM certificate
=09
=09
Hi!
=09
=20
As I understand there are two ways to verify a signature against public =
keys not included in the signature itself.
=20
Either load the public key and send it as a parameter to the =
xmlSecDSigValidate function or to add the public key to the Keymanager =
and use the xmlSecKeyOriginKeyManager flag so that the key manager are =
searched for a key to use when verifying.
=20
I have tried both but does not break through.
=20
I could not find a way to load a usable (public) xmlSecKey.
I tried to use xmlSecKeyReadPemCert and it read the file but then the =
keydata in the xmlSecKeyPtr was NULL and the key was rejected when I =
tried to use it.
=20
I the tried to use the xmlSecSimpleKeysMngrLoadPemKey but it does not =
accept PEM-files starting with
"-----BEGIN CERTIFICATE-----" which my certificate dooes.
As I understand it is the PEM_read_PUBKEY openssl function that rejects =
the file.
Do external certificates have to be on this format or are there any =
other ways to load public keys from PEM certificatefiles starting with =
"-----BEGIN CERTIFICATE-----"?
=20
:)
------_=_NextPart_001_01C29162.94195DF5
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><SPAN class=3D507473113-21112002><FONT face=3DArial color=3D#0000ff =
size=3D2>The=20
keys manager does like/take the certs in the format you described. In =
fact, it=20
requires them in that format rather than the binary format. OpenSSL is =
quite=20
picky about this as the following snipped from some OpenSSL FAQ shows. I =
don't=20
recall exactly where I clipped this from but I saved it since it's a =
useful=20
explaination.</FONT></SPAN></DIV>
<DIV><SPAN class=3D507473113-21112002><FONT face=3DArial color=3D#0000ff =
size=3D2>Ferrell</FONT></SPAN></DIV>
<DIV><SPAN class=3D507473113-21112002><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D507473113-21112002>
<P class=3DMsoNormal=20
style=3D"MARGIN: 5pt 0in; mso-pagination: none; mso-layout-grid-align: =
none"><B><SPAN=20
style=3D"FONT-FAMILY: Arial">Error: "no start line:pem_lib.c" or "no end =
line:pem_lib.c"</SPAN></B><SPAN style=3D"FONT-FAMILY: =
Arial">.<BR>Apache-SSL uses=20
a toolkit called OpenSSL (formerly SSleay), by Eric Young, for its =
security=20
routines. OpenSSL is very fussy about the format of certificate requests =
and=20
certificates. In particular, the BEGIN and END lines must look=20
like:<BR><BR>-----BEGIN CERTIFICATE-----<BR><BR>this is your certificate =
<BR>in=20
BASE64 encoding<BR>for easy transport<BR><BR>-----END=20
CERTIFICATE-----<BR><BR>Note, there are 5 dashes before and after the =
BEGIN and=20
END text, and they must form the first and last lines of the certificate =
(as=20
above). Be careful when you cut and pasted the certificate from the =
browser=20
window into a text editor to create the certificate text file. Make sure =
you=20
remove any trailing spaces, before and after the BEGIN or END lines, or =
you will=20
see this error. On UNIX, you may also need to get rid of CTRL-M =
characters.<BR=20
style=3D"mso-special-character: line-break"><BR=20
style=3D"mso-special-character: line-break"></SPAN></P></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B> =
Asbj=F8rn Oskal=20
[mailto:asbjorn.oskal@welldiagnostics.com] <BR><B>Sent:</B> Thursday, =
November=20
21, 2002 5:15 AM<BR><B>To:</B> xmlsec@aleksey.com<BR><B>Subject:</B> =
[xmlsec]=20
Verifying a signature against a PEM certificate<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Hi!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></FONT></DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>As I understand there are two ways to =
verify a=20
signature against public keys </FONT><FONT face=3DArial size=3D2>not =
included in=20
the signature </FONT><FONT face=3DArial size=3D2>itself.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Either load the public key and send =
it as a=20
parameter to the </FONT><FONT face=3DArial size=3D2>xmlSecDSigValidate =
function </FONT><FONT face=3DArial size=3D2>or to add the public =
key to the=20
Keymanager and use the xmlSecKeyOriginKeyManager flag so that the =
</FONT><FONT=20
face=3DArial size=3D2>key manager are searched for a key to use when=20
verifying.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I have tried both but does not break=20
through.</FONT></DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I could not find a way to load a =
usable (public)=20
xmlSecKey.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I tried to use xmlSecKeyReadPemCert =
and it read=20
the file but then the keydata in the xmlSecKeyPtr was NULL and the key =
was=20
rejected when I tried to use it.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I the tried to use the=20
xmlSecSimpleKeysMngrLoadPemKey but it </FONT><FONT face=3DArial =
size=3D2>does not=20
accept PEM-files starting with</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>"-----BEGIN CERTIFICATE-----" which =
my=20
certificate dooes.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>As I understand it is the =
PEM_read_PUBKEY openssl=20
function that rejects the file.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Do external certificates have to be =
on=20
</FONT><FONT face=3DArial size=3D2>this format or </FONT><FONT =
face=3DArial=20
size=3D2>are there any other ways to </FONT><FONT face=3DArial =
size=3D2>load public=20
keys from PEM certificatefiles starting with "</FONT><FONT =
face=3DArial=20
size=3D2><FONT face=3DArial size=3D2>-----BEGIN=20
CERTIFICATE-----"?</FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2>:)</FONT></DIV></BLOCKQUOTE></BODY></HTML>
=00
------_=_NextPart_001_01C29162.94195DF5--