[xmlsec] XMLsec Command Line Utility and MSCrypto

Edward Shallow ed.shallow@rogers.com
Thu, 18 Sep 2003 16:06:53 -0400 

I think I got the answer I was looking for, but please explain exactly =
how
(that is with which command line sub-argument) do I identify private and
public (or both) keys when doing for example a sign or an encrpyt.

In other words today with OpenSSL I just say the following on the =
command
line:=20

> sign --pkcs12 keys/EdCert.p12 --pwd 1234 .....

Or

> encrypt --pubkey-pem keys/EdPub.pem --session-key des-192 ...


What do I say when referring to these keys in the MS world ? Are there
subtle command line syntax differences ? Lastly, when using our
XMLSec-enabled application in a real MS Crypto Store world there will be =
no
pkcs12s lying around.

Ed

  =20


-----Original Message-----
From: xmlsec-admin@aleksey.com [mailto:xmlsec-admin@aleksey.com] On =
Behalf
Of Wouter
Sent: September 18, 2003 2:37 PM
To: 'Aleksey Sanin'; 'Edward Shallow'
Cc: xmlsec@aleksey.com

Hi,

Aleksey is right here. Currently the key or certificate can be loaded by
giving it's keyname. However there are a few angles here (when I use
certificate, I mean actually certificate *with* public/private keypair,
since the certificate is the identifier for the keys with MS):

If more then 1 certificate is available in your certificate store with =
the
same name (I think it's even quite a big change that will happen), only =
the
first found will be loaded.
If you look for a certificate that does not reside in your personal =
local
default store, it will not be found.

I think there is a need to load the keys with other parameters as well,
possibly with a (limited?) support from the command line. I think for
example that the NSS Keys database also can benefit with a more generic
interface in the loading of keys (for example using another then default =
key
db)? I was thinking about a more generic approach here where some kind =
of
'search parameter(s)' can be set for finding keys (and possible
certificates) (setKeySearchParameter(enum searchType, *value)). The type =
of
search parameters supported by a keys manager can be different for each =
keys
manager.=20

This story is a bit vague probably, and interferes perhaps with the =
keyinfo
context, but I had no clear idea yet, how this can fit in the xmlsec
library.=20

Another (a bit related) thing I ran into is the lack of support for =
loading
keys from memory. I know OpenSSL crypto implementation supports this
feature, but it isn't propagated in the generic interface. Are there =
plans
into this direction?

Wouter

> -----Original Message-----
> From: xmlsec-admin@aleksey.com
> [mailto:xmlsec-admin@aleksey.com] On Behalf Of Aleksey Sanin
> Sent: Thursday, September 18, 2003 21:12
> To: Edward Shallow
> Cc: xmlsec@aleksey.com
> Subject: Re: [xmlsec] XMLsec Command Line Utility and MSCrypto
>=20
>=20
> I am not sure I clear understand what do you want to do. The=20
> "--pkcs12", "--privkey", etc.
> just load the key from a file and put it into the keys manager. The=20
> key then could be refered to by name from xml files. If I understand=20
> the MSCrypto implementation correctly, you should be able to refer to=20
> the exsiting key in MS Crypto store by name w/o any special "loading"
> because default keys manager for MSCrypto does look for key in MS=20
> Crypto store.
>=20
> Wouter?
>=20
> Aleksey
>=20
>=20
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
>=20

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec