[xmlsec] Problem with xmlSecSimpleKeysMngrLoadPemCert

Aleksey Sanin aleksey at aleksey.com
Tue Sep 3 13:43:47 PDT 2002


I would suggest to do following:
    1) add <dsig:KeyName> to your application name to identify your key
     (just in case you'll later decide to use two keys :) )
    2) in the application use xmlSecSimpleKeysMngrLoadPemKey() function
    to load key from a PEM file and set the key name directly (take a 
look at
    readPemKey() function in apps/xmlsec.c file from xmlsec package)
    3) during validation, do not forget to set xmlSecKeyOriginKeyName and
    xmlSecKeyOriginKeyManager flags (or simply xmlSecKeyOriginAll) in the
    allowedOrigins flag of the xmlSecKeysMngr structure

After this XMLSec should be able to find and use loaded key automatically.

Aleksey

Devin Heitmueller wrote:

>Ok, let me give some more detail.
>
>The goal is to run an application, providing it with an XML file that is
>signed with a DSA private key.  The application should validate the
>signature using the DSA public key stored in a separate file on the
>local workstation.
>
>The creation and signing of the XML file appears to work fine.  I do not
>embed the key in the XML file itself.
>
>The verification application should load the DSA public key into the key
>list, then validate the XML document signature with the DSA public key. 
>
>I used xmlSecSimpleKeysMngrLoadPemKey to load the public key, providing
>NULL for the keyPwd and keyPwdCallback arguments.  It's not returning
>any errors, but I am still not sure if the public key is actually being
>loaded into the keylist.  
>
>The basic problem seems to be getting the DSA public key from the PEM
>encoded file into an xmlSecKeyPtr structure, which I can provide as a
>argument to xmlSecDSigValidate().
>
>Thanks,
>
>-Devin
>
>On Tue, 2002-09-03 at 15:04, Aleksey Sanin wrote:
>  
>
>>I am not sure I clear understand what do you mean by "verify an XML file 
>>given
>>a specific cert". From you XML file you should point to the given key known
>>to application or provide the key in the signature (may be in cert).
>>And on the application side you need to have this key available or know 
>>how to get
>>key from the file. For example, in XML file you can include a full cert 
>>and application
>>should be able to verify cert and extract key.
>>XMLSec library extracts the public key from provided cert automatically 
>>but the key
>>is *not* included in the keys list. You can point to a cert using issuer 
>>serial/name,
>>subject, SKI and if such cert was loaded with 
>>xmlSecSimpleKeysMngrLoadPemKey()
>>it will be found and key extracted.
>>
>>Aleksey
>>
>>
>>Devin Heitmueller wrote:
>>
>>    
>>
>>>So, if I wanted to verify an XML file given a specific cert, I should
>>>perform an xmlSecSimpleKeysMngrLoadPemKey() with the privateKey flag set
>>>to 'public', then perform an xmlSecSimpleKeysMngrAddKey ()?
>>>
>>>Thanks,
>>>
>>>Devin
>>>
>>>On Tue, 2002-09-03 at 14:42, Aleksey Sanin wrote:
>>> 
>>>
>>>      
>>>
>>>>The cert will be saved to the keys file if (and only if) it is 
>>>>associated with a key.
>>>>xmlSecSimpleKeysMngrLoadPemCert() function has two purposes:
>>>>   1) load a "trusted" cert (i.e. root CA cert)
>>>>   2) load an "untrusted" cert which could be pointed from XML DSig 
>>>><dsig:X509Data>
>>>>   element by subject, issuer serial/issuer name or SKI 
>>>>(http://www.w3.org/TR/xmldsig-core/#sec-X509Data)
>>>>
>>>>
>>>>Aleksey
>>>>
>>>>Devin Heitmueller wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>I am attempting to make use of the xmlSecSimpleKeysMngrLoadPemCert
>>>>>facility to load a certificate from a file into the key manager.  The
>>>>>call returns with  no errors, but it looks like the cert is never
>>>>>actually added to the key manager store.
>>>>>
>>>>>I wrote some sample code to demonstrate the problem (see attached).  I
>>>>>am attempting to add the DSA certificate dsacert.pem that is included
>>>>>with the distribution in the "tests/keys" directory.  The sample code
>>>>>creates the key manager instance, adds the certificate, then saves the
>>>>>key manager contents out to an XML file.
>>>>>
>>>>>I suspect I am using the function wrong, but any advice that could be
>>>>>offered would be greatly appreciated.
>>>>>
>>>>>Thanks,
>>>>>
>>>>>
>>>>>
>>>>>------------------------------------------------------------------------
>>>>>
>>>>>-----BEGIN CERTIFICATE-----
>>>>>MIIEvTCCBGegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBojELMAkGA1UEBhMCVVMx
>>>>>EzARBgNVBAgTCkNhbGlmb3JuaWExJjAkBgNVBAoTHWh0dHA6Ly93d3cuYWxla3Nl
>>>>>eS5jb20veG1sc2VjMRowGAYDVQQLExFTZWNvbmQgTGV2ZWwgQ2VydDEWMBQGA1UE
>>>>>AxMNQWxla3NleSBTYW5pbjEiMCAGCSqGSIb3DQEJARYTYWxla3NleUBhbGVrc2V5
>>>>>LmNvbTAeFw0wMjAzMjkyMjI2NTNaFw0wMzAzMjkyMjI2NTNaMIGkMQswCQYDVQQG
>>>>>EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEmMCQGA1UEChMdaHR0cDovL3d3dy5h
>>>>>bGVrc2V5LmNvbS94bWxzZWMxHDAaBgNVBAsTE0RTQSBLZXkgQ2VydGlmaWNhdGUx
>>>>>FjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xIjAgBgkqhkiG9w0BCQEWE2FsZWtzZXlA
>>>>>YWxla3NleS5jb20wggG2MIIBKwYHKoZIzjgEATCCAR4CgYEAimW6KYBPYXAf6itS
>>>>>AuYs1aLPfs8/vBEiusv/pl1XMiuMvB7vyiJgSj8/NTkRci/UX/rVXv8rbCRjvYFX
>>>>>3x5/53f4hc6HKz7JQI4qqB7Fl5N86zp+BsQxNQ4tzous9S2HTd2/zdTwVsvO+H9l
>>>>>3FahmVp/m2IHE4W27JYoF49qP10CFQC//HNaqNG+J6STasxbfCliylP1SwKBgFCM
>>>>>s1A5S3urggoBeEYffH4imb4OuFCeBTOS/lmwkjJlbBTdOn08Mct52jzzgs86Ln7B
>>>>>7/wb3toL6w73dO/KF1iSX/QOOKSGZyZHYxIZtkbAxaVzatLTymRXI1bHZqoODF+m
>>>>>DbsKb2bk8EqAxubtUDDdJph/YJmyE94/ceDDvuxGA4GEAAKBgDp/igSRN6tU0YRv
>>>>>UbKTV9NVSOQtFc0suDf0MguGMxBDaKtxiZChyGKvoK6vWalfcYNhnqP95qoXXBDT
>>>>>rWEZlhHzmSY9fKLpA+kzXHmEWeB4x4yt1mN8CtjlekDpcvpN38YBEKT/+yJQpGuW
>>>>>CAi7h1626o5+W9F3CvS9hg7Vjso7o4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgB
>>>>>hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
>>>>>FEe1ThoXo+wDwzhsCfW0cuROuISWMIHHBgNVHSMEgb8wgbyAFHjXLZFhL5UiSrvh
>>>>>1T3GJq+rl9IEoYGgpIGdMIGaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
>>>>>cm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMSYwJAYDVQQKEx1odHRwOi8vd3d3LmFs
>>>>>ZWtzZXkuY29tL3htbHNlYzEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEiMCAGCSqG
>>>>>SIb3DQEJARYTYWxla3NleUBhbGVrc2V5LmNvbYIBATANBgkqhkiG9w0BAQQFAANB
>>>>>AL2thaC8jmlUvEGLHR1B3+7XJho4sXllkHgclSXJnD/NGssj5XzQHpbLVSfNEEUe
>>>>>JKG28F0vyT05hEsXAHAtg9o=
>>>>>-----END CERTIFICATE-----
>>>>>
>>>>>
>>>>>------------------------------------------------------------------------
>>>>>
>>>>>/*
>>>>>* Netilla License Display tool
>>>>>* Devin J. Heitmueller Aug 27 2002
>>>>>*/
>>>>>
>>>>>#include <stdio.h>
>>>>>#include <string.h>
>>>>>#include <stdlib.h>
>>>>>
>>>>>/*
>>>>>* COMPAT using xml-config --cflags to get the include path this will
>>>>>* work with both 
>>>>>*/
>>>>>#include <libxml/xmlmemory.h>
>>>>>#include <libxml/parser.h>
>>>>>
>>>>>/* Required for xmlsec */
>>>>>#include <xmlsec/xmlsec.h>
>>>>>#include <xmlsec/xmldsig.h> 
>>>>>#include <xmlsec/keysmngr.h>
>>>>>#include <xmlsec/xmltree.h>
>>>>>
>>>>>int
>>>>>main (int argc, char **argv)
>>>>>{
>>>>>xmlSecKeyPtr pubkey;
>>>>>xmlSecDSigCtxPtr dsigCtx = NULL;
>>>>>xmlSecKeysMngrPtr keysMngr = NULL; 
>>>>>int load_pub_cert_result = 0;
>>>>>int rnd_seed = 0;
>>>>>
>>>>>/** 
>>>>> * Init OpenSSL
>>>>> */    
>>>>>while (RAND_status() != 1) {
>>>>>  RAND_seed(&rnd_seed, sizeof(rnd_seed));
>>>>>}
>>>>>
>>>>>/*
>>>>> * Init libxml
>>>>> */     
>>>>>xmlInitParser();
>>>>>LIBXML_TEST_VERSION
>>>>>
>>>>>/*
>>>>> * Init xmlsec
>>>>> */
>>>>>xmlSecInit();    
>>>>>
>>>>>/** 
>>>>> * Create Keys managers
>>>>> */
>>>>>keysMngr = xmlSecSimpleKeysMngrCreate();    
>>>>>if(keysMngr == NULL) {
>>>>>  fprintf(stderr, "Error: failed to create keys manager\n");
>>>>>  return -1;
>>>>>}
>>>>>
>>>>>/** 
>>>>> * Add the test cert to the public key list
>>>>> */
>>>>>load_pub_cert_result = xmlSecSimpleKeysMngrLoadPemCert (keysMngr,
>>>>>							  "dsacert.pem", 1);
>>>>>if (load_pub_cert_result != 0)
>>>>>  {
>>>>>    fprintf(stderr, "Error: failed load public key\n");
>>>>>    return -1;
>>>>>  }
>>>>>
>>>>>/* Write the keys back to a file */
>>>>>xmlSecSimpleKeysMngrSave(keysMngr, "test.xml", xmlSecKeyTypeAny);
>>>>>
>>>>>return 0;
>>>>>}
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>    
>>





More information about the xmlsec mailing list