[xmlsec] Problem with xmlSecSimpleKeysMngrLoadPemCert

Devin Heitmueller dheitmueller at netilla.com
Tue Sep 3 13:49:18 PDT 2002


Never mind.  I figured out the problem.  I used the wrong private key
when I signed the XML file, and spent an hour trying to figure out why
it wouldn't validate.

Ok, I'm stupid.

-Devin

On Tue, 2002-09-03 at 15:56, Devin Heitmueller wrote:
> Ok, let me give some more detail.
> 
> The goal is to run an application, providing it with an XML file that is
> signed with a DSA private key.  The application should validate the
> signature using the DSA public key stored in a separate file on the
> local workstation.
> 
> The creation and signing of the XML file appears to work fine.  I do not
> embed the key in the XML file itself.
> 
> The verification application should load the DSA public key into the key
> list, then validate the XML document signature with the DSA public key. 
> 
> I used xmlSecSimpleKeysMngrLoadPemKey to load the public key, providing
> NULL for the keyPwd and keyPwdCallback arguments.  It's not returning
> any errors, but I am still not sure if the public key is actually being
> loaded into the keylist.  
> 
> The basic problem seems to be getting the DSA public key from the PEM
> encoded file into an xmlSecKeyPtr structure, which I can provide as a
> argument to xmlSecDSigValidate().
> 
> Thanks,
> 
> -Devin
> 
> On Tue, 2002-09-03 at 15:04, Aleksey Sanin wrote:
> > I am not sure I clear understand what do you mean by "verify an XML file 
> > given
> > a specific cert". From you XML file you should point to the given key known
> > to application or provide the key in the signature (may be in cert).
> > And on the application side you need to have this key available or know 
> > how to get
> > key from the file. For example, in XML file you can include a full cert 
> > and application
> > should be able to verify cert and extract key.
> > XMLSec library extracts the public key from provided cert automatically 
> > but the key
> > is *not* included in the keys list. You can point to a cert using issuer 
> > serial/name,
> > subject, SKI and if such cert was loaded with 
> > xmlSecSimpleKeysMngrLoadPemKey()
> > it will be found and key extracted.
> > 
> > Aleksey
> > 
> > 
> > Devin Heitmueller wrote:
> > 
> > >So, if I wanted to verify an XML file given a specific cert, I should
> > >perform an xmlSecSimpleKeysMngrLoadPemKey() with the privateKey flag set
> > >to 'public', then perform an xmlSecSimpleKeysMngrAddKey ()?
> > >
> > >Thanks,
> > >
> > >Devin
> > >
> > >On Tue, 2002-09-03 at 14:42, Aleksey Sanin wrote:
> > >  
> > >
> > >>The cert will be saved to the keys file if (and only if) it is 
> > >>associated with a key.
> > >>xmlSecSimpleKeysMngrLoadPemCert() function has two purposes:
> > >>    1) load a "trusted" cert (i.e. root CA cert)
> > >>    2) load an "untrusted" cert which could be pointed from XML DSig 
> > >><dsig:X509Data>
> > >>    element by subject, issuer serial/issuer name or SKI 
> > >>(http://www.w3.org/TR/xmldsig-core/#sec-X509Data)
> > >>
> > >>
> > >>Aleksey
> > >>
> > >>Devin Heitmueller wrote:
> > >>
> > >>    
> > >>
> > >>>I am attempting to make use of the xmlSecSimpleKeysMngrLoadPemCert
> > >>>facility to load a certificate from a file into the key manager.  The
> > >>>call returns with  no errors, but it looks like the cert is never
> > >>>actually added to the key manager store.
> > >>>
> > >>>I wrote some sample code to demonstrate the problem (see attached).  I
> > >>>am attempting to add the DSA certificate dsacert.pem that is included
> > >>>with the distribution in the "tests/keys" directory.  The sample code
> > >>>creates the key manager instance, adds the certificate, then saves the
> > >>>key manager contents out to an XML file.
> > >>>
> > >>>I suspect I am using the function wrong, but any advice that could be
> > >>>offered would be greatly appreciated.
> > >>>
> > >>>Thanks,
> > >>>
> > >>> 
> > >>>
> > >>>------------------------------------------------------------------------
> > >>>
> > >>>-----BEGIN CERTIFICATE-----
> > >>>MIIEvTCCBGegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBojELMAkGA1UEBhMCVVMx
> > >>>EzARBgNVBAgTCkNhbGlmb3JuaWExJjAkBgNVBAoTHWh0dHA6Ly93d3cuYWxla3Nl
> > >>>eS5jb20veG1sc2VjMRowGAYDVQQLExFTZWNvbmQgTGV2ZWwgQ2VydDEWMBQGA1UE
> > >>>AxMNQWxla3NleSBTYW5pbjEiMCAGCSqGSIb3DQEJARYTYWxla3NleUBhbGVrc2V5
> > >>>LmNvbTAeFw0wMjAzMjkyMjI2NTNaFw0wMzAzMjkyMjI2NTNaMIGkMQswCQYDVQQG
> > >>>EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEmMCQGA1UEChMdaHR0cDovL3d3dy5h
> > >>>bGVrc2V5LmNvbS94bWxzZWMxHDAaBgNVBAsTE0RTQSBLZXkgQ2VydGlmaWNhdGUx
> > >>>FjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xIjAgBgkqhkiG9w0BCQEWE2FsZWtzZXlA
> > >>>YWxla3NleS5jb20wggG2MIIBKwYHKoZIzjgEATCCAR4CgYEAimW6KYBPYXAf6itS
> > >>>AuYs1aLPfs8/vBEiusv/pl1XMiuMvB7vyiJgSj8/NTkRci/UX/rVXv8rbCRjvYFX
> > >>>3x5/53f4hc6HKz7JQI4qqB7Fl5N86zp+BsQxNQ4tzous9S2HTd2/zdTwVsvO+H9l
> > >>>3FahmVp/m2IHE4W27JYoF49qP10CFQC//HNaqNG+J6STasxbfCliylP1SwKBgFCM
> > >>>s1A5S3urggoBeEYffH4imb4OuFCeBTOS/lmwkjJlbBTdOn08Mct52jzzgs86Ln7B
> > >>>7/wb3toL6w73dO/KF1iSX/QOOKSGZyZHYxIZtkbAxaVzatLTymRXI1bHZqoODF+m
> > >>>DbsKb2bk8EqAxubtUDDdJph/YJmyE94/ceDDvuxGA4GEAAKBgDp/igSRN6tU0YRv
> > >>>UbKTV9NVSOQtFc0suDf0MguGMxBDaKtxiZChyGKvoK6vWalfcYNhnqP95qoXXBDT
> > >>>rWEZlhHzmSY9fKLpA+kzXHmEWeB4x4yt1mN8CtjlekDpcvpN38YBEKT/+yJQpGuW
> > >>>CAi7h1626o5+W9F3CvS9hg7Vjso7o4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgB
> > >>>hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
> > >>>FEe1ThoXo+wDwzhsCfW0cuROuISWMIHHBgNVHSMEgb8wgbyAFHjXLZFhL5UiSrvh
> > >>>1T3GJq+rl9IEoYGgpIGdMIGaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
> > >>>cm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMSYwJAYDVQQKEx1odHRwOi8vd3d3LmFs
> > >>>ZWtzZXkuY29tL3htbHNlYzEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEiMCAGCSqG
> > >>>SIb3DQEJARYTYWxla3NleUBhbGVrc2V5LmNvbYIBATANBgkqhkiG9w0BAQQFAANB
> > >>>AL2thaC8jmlUvEGLHR1B3+7XJho4sXllkHgclSXJnD/NGssj5XzQHpbLVSfNEEUe
> > >>>JKG28F0vyT05hEsXAHAtg9o=
> > >>>-----END CERTIFICATE-----
> > >>> 
> > >>>
> > >>>------------------------------------------------------------------------
> > >>>
> > >>>/*
> > >>>* Netilla License Display tool
> > >>>* Devin J. Heitmueller Aug 27 2002
> > >>>*/
> > >>>
> > >>>#include <stdio.h>
> > >>>#include <string.h>
> > >>>#include <stdlib.h>
> > >>>
> > >>>/*
> > >>>* COMPAT using xml-config --cflags to get the include path this will
> > >>>* work with both 
> > >>>*/
> > >>>#include <libxml/xmlmemory.h>
> > >>>#include <libxml/parser.h>
> > >>>
> > >>>/* Required for xmlsec */
> > >>>#include <xmlsec/xmlsec.h>
> > >>>#include <xmlsec/xmldsig.h> 
> > >>>#include <xmlsec/keysmngr.h>
> > >>>#include <xmlsec/xmltree.h>
> > >>>
> > >>>int
> > >>>main (int argc, char **argv)
> > >>>{
> > >>> xmlSecKeyPtr pubkey;
> > >>> xmlSecDSigCtxPtr dsigCtx = NULL;
> > >>> xmlSecKeysMngrPtr keysMngr = NULL; 
> > >>> int load_pub_cert_result = 0;
> > >>> int rnd_seed = 0;
> > >>>
> > >>> /** 
> > >>>  * Init OpenSSL
> > >>>  */    
> > >>> while (RAND_status() != 1) {
> > >>>   RAND_seed(&rnd_seed, sizeof(rnd_seed));
> > >>> }
> > >>> 
> > >>> /*
> > >>>  * Init libxml
> > >>>  */     
> > >>> xmlInitParser();
> > >>> LIBXML_TEST_VERSION
> > >>> 
> > >>> /*
> > >>>  * Init xmlsec
> > >>>  */
> > >>> xmlSecInit();    
> > >>>
> > >>> /** 
> > >>>  * Create Keys managers
> > >>>  */
> > >>> keysMngr = xmlSecSimpleKeysMngrCreate();    
> > >>> if(keysMngr == NULL) {
> > >>>   fprintf(stderr, "Error: failed to create keys manager\n");
> > >>>   return -1;
> > >>> }
> > >>>
> > >>> /** 
> > >>>  * Add the test cert to the public key list
> > >>>  */
> > >>> load_pub_cert_result = xmlSecSimpleKeysMngrLoadPemCert (keysMngr,
> > >>>							  "dsacert.pem", 1);
> > >>> if (load_pub_cert_result != 0)
> > >>>   {
> > >>>     fprintf(stderr, "Error: failed load public key\n");
> > >>>     return -1;
> > >>>   }
> > >>>
> > >>> /* Write the keys back to a file */
> > >>> xmlSecSimpleKeysMngrSave(keysMngr, "test.xml", xmlSecKeyTypeAny);
> > >>>
> > >>> return 0;
> > >>>}
> > >>> 
> > >>>
> > >>>      
> > >>>
> > 
> > 
> -- 
> Devin Heitmueller
> Senior Software Engineer
> Netilla Networks Inc
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-- 
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc




More information about the xmlsec mailing list