[xmlsec] XMLsec Command Line Utility and MSCrypto
Aleksey Sanin
aleksey@aleksey.com
Thu, 18 Sep 2003 13:24:02 -0700
I can explain what happens in general. Suppose there is a command line
like this:
sign --pkcs12:test-key keys/EdCert.p12 --pwd 1234 something.tmpl
Then the following happens:
1) xmlsec loads key and certificate from keys/EdCert.p12 and puts this key
in default crypto keys manager with "test-key" name.
2) When xmlsec singns the something.tmpl and finds out that it needs a
private
key with a name "test-key", it requests keys manager to find such key
(internaly, the request is represented in xmlSecKeyReq object).
3) Keys manager does the search and finds the key we loaded on step 1).
4) xmlsec uses returned key for signature.
Note that on step 1) we used words "default crypto keys manager". This
means that
- different crypto engines may have *different* default keys managers
(for example, OpenSSL uses plain stupid list of keys; NSS uses the same
plain list of keys and NSS key db; MSCrypto uses the same plain list of
keys
and MS Crypto store)
- xmlsec command line utility uses "default" keys manager but application
might replace it with whatever is needed (for example, one might have
all keys
and/or certificates in a database)
Currently, xmlsec utility does not have an option that says "load key
and use *this*
key for signature or encryption". The key selection is done inderectly
thru keys manager
(i.e. signature/encryption template should have a key name that
references to a key
in keys manager). But you can do it in your application (if needed) by
setting desired
siganture/encryption key in signature/encryption context. Also today you
can use the
"--session-key" option if you want to sign/encrypt something with
session key (specific
for this xml file). But the session key by itself would be encrypted
with an indirectly
selected key from keys manager. Again, in the application you can select
second key
from your application directly (if you want).
Hope this make things a little bit more clear :)
Aleksey