[xmlsec] Verifying a signature against a PEM certificate

Moultrie, Ferrell (ISSAtlanta) FMoultrie@iss.net
Mon, 25 Nov 2002 07:35:57 -0500


Hi:
  More from the OpenSSL doc I quoted earlier:

The ApacheSSL documentation, and the docs for the SSLeay toolkit, refer =
to certificates and certificate requests as "PEM" files. They are not. =
ApacheSSL, like all SSL secure servers, uses the (standard) X.509 =
certificate format. X.509 certificates are binary files, which are =
difficult to send around by mail. So SSLeay stores them in BASE64 =
encoded format, between '-----BEGIN-----' and '-----END-----' lines. =
BASE64 encoding was defined as part of the (old) Privacy Enhanced Mail =
(PEM) specification, which is why the documentation calls them "PEM =
format" files.

  To convert my DER binary encoded X509 certs so that =
xmlSecSimpleKeysMngrLoadPemKey would load them I used:
x509 -inform der -text -in d:old_export.pem -out d:new_export.pem
  (the x509 utility is part of the openssl distribution)

If I understand your question, this should solve your problem.
Ferrell

-----Original Message-----
From: Asbj=F8rn Oskal [mailto:asbjorn.oskal@welldiagnostics.com]=20
Sent: Monday, November 25, 2002 7:19 AM
To: xmlsec@aleksey.com
Subject: Re: [xmlsec] Verifying a signature against a PEM certificate


Hi!

It seems to me from the answers I have gotten that there are no easy =
ways to
verify XML-signatures against (the public key from) X509 PEM-certificate
files.
The xmlSecSimpleKeysMngrLoadPemKey does not accept loading public keys =
from
such files.
It does only accept public key files starting with -----BEGIN PUBLIC
KEY-----
So, does any of you know a way of creating such public key files from =
X509
PEM-certificates?

The question is really, how can one make sure the identity of the signer
without verifying the signature against a public key you know belongs to =
the
signer. Or is it possible to check who is the owner of the public key
contained in the KeyInfo?

:)

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec