[xmlsec] Using certificates for signature verification

Jesse Pelton jsp at PKC.com
Tue Feb 11 13:11:34 PST 2003


I am modifying an existing application that signs and verifies documents to
use XMLSec. We're currently using Microsoft's .NET implementation, which is
a colossal pain, partly because most of our code is unmanaged, partly
because the MS Crypto API is an unpredictable black box.

When we sign a document, we put a key name (a certificate's common name)
into (surprise) the <KeyName> element. That's the only information regarding
keys in our document. To verify a signature, we extract the key name from
the document and map it to a certificate containing the appropriate public
key. This allows us to exchange signed documents with parties we trust by
first exchanging standard X509 certificates. Each of us signs with the
private key we've retained and verifies with the public key we've received
in a certificate.

I can't find a way to do this with XMLSec's simple key manager, and I'm not
sure 1) whether I'm missing something, and if not, 2) what would be the best
way to proceed.

I need an xmlSecKeyPtr to pass to xmlSecDSigValidate(). The simple keys
manager provides two functions that return key pointers:
xmlSecSimpleKeysMngrFindKey() and xmlSecSimpleKeysMngrLoadPemKey(). I
suspect the find function would work for me if I passed a key name, but the
only way I can find to introduce a named key into the manager is by loading
a PKCS12 file. The PEM key loader also might work, if I could figure out how
to produce a PEM key file. Neither xmlsec nor openssl executables provide a
way to do this that I could find.

I also tried using xmlSecX509DataReadPemCert() together with
xmlSecX509DataCreateKey(), but the latter call fails because the certificate
hasn't been verified. It can't be verified unless it's in a store. If I put
it in a store, I no longer have a way to get it, so I'm back where I
started.

Is the whole notion of using a certificate's public key to verify a
signature wrong-headed in some way? (I have to wonder, since there seems to
be no support provided for it.) If this is a reasonable approach, how can I
accomplish it?



More information about the xmlsec mailing list