[xmlsec] Re: Filling in other X509 node info

Aleksey Sanin aleksey at aleksey.com
Thu Apr 24 09:23:21 PDT 2003 

Serial number and subject name are included in the certificate. Current 
xmlsec code
can read both <dsig:X509IssuerSerial/> and <dsig:X509SubjectName/> nodes and
search local certificates store for specified certificates. However, it 
does not provide
an ability to write these nodes. As I said, this information is already 
available from
the <dsig:X509Certificate/> node and (IMHO) duplicating it is just a 
waste of traffic.
So the answer is "you could not do it". But I accept contributions and 
you can hack it
by yourself :) Probably there should be a flag(s) in xmlSecKeyInfoCtx 
that tells xmlsec
how to write certificates: <dsig:X509Data/>, <dsig:X509IssuerSerial/>, 
etc. or it
can be specified in the template; please note that you might have 
*multiple* certificates
for the key.

BTW, I would appreciate if you will use xmlsec mailing list for all 
xmlsec related
questions.

Thanks,
Aleksey




Victor Sturgeon wrote:

> Using the following as my xml file test7.xml, I wanted to sign it via 
> the xmlsec utility
>  
> <?xml version="1.0" encoding="UTF-8"?>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>   <SignedInfo>
>     <CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
>     <SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>     <Reference URI="#object">
>       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>       <DigestValue></DigestValue>
>     </Reference>
>   </SignedInfo>
>   <SignatureValue>
>   </SignatureValue>
>    <KeyInfo>
>      <X509Data>
>      </X509Data>
>    </KeyInfo>
>   <Object Id="object">some text</Object>
> </Signature>
>  
> victor at victors:~/xmlsec <mailto:victor at victors:%7E/xmlsec>> xmlsec1 
> --sign --privkey privatekey.pem,certificate.pem test7.xml                
>  
> Gives the following output
> <?xml version="1.0" encoding="UTF-8"?>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>   <SignedInfo>
>     <CanonicalizationMethod 
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/ 
> <http://www.w3.org/TR/2001/REC-xml-c14n-20010315%22/>>
>     <SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/ 
> <http://www.w3.org/2000/09/xmldsig#rsa-sha1%22/>>
>     <Reference URI="#object">
>       <DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/ 
> <http://www.w3.org/2000/09/xmldsig#sha1%22/>>
>       <DigestValue>7/XTsHaBSOnJ/jXD5v0zL6VKYsk=</DigestValue>
>     </Reference>
>   </SignedInfo>
>   
> <SignatureValue>slrp2j30ePW08ObT49frswmN0dQGTOK/SQ9sljMUpfebOudpeI+uebQHU2eUlGI2
> A2GpWQqKLichKYO7d9luury5/jxjCMeLIoZtsWo5rCXUaoH9DXLPMymWNYCy0xbW
> zOwTyBj6AGPDArsNiz25JOzQZ1Kt36qcsaWCbR8KEru3YhtKLloMYfS83jN0HPMJ
> YgjkuH1OXRW3cDe5/kSiwU23d9TodXXa1dhzrq+Qoo4reR7g6MN+uVYe87tcDlzs
> +2ozmEW4EquJuwVohrMYJrhInZJs7ooZQ3e4o0WNHfvFSpSptMQ8K9nqjrFi4U9F
> Iv4PpTLDvbi9zKzUnqXKVw==</SignatureValue>
>    <KeyInfo>
>      <X509Data>
>      
> <X509Certificate>MIIE/DCCA+SgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBsTELMAkGA1UEBhMCVVMx
> ETAPBgNVBAgTCElsbGlub2lzMRMwEQYDVQQHEwpOYXBlcnZpbGxlMRYwFAYDVQQK
> Ew1TdHVyZ2VvbiBNYWlsMRYwFAYDVQQLEw1TdHVyZ2VvbiBNYWlsMR4wHAYDVQQD
> ExVTdHVyZ2VvbiBNYWlsIFJvb3QgQ0ExKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0
> ZXJAc3R1cmdlb25tYWlsLmNvbTAeFw0wMzAyMTQxNzAzMzRaFw0xMzAyMTExNzAz
> MzRaMIGPMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEzARBgNVBAcT
> Ck5hcGVydmlsbGUxFjAUBgNVBAoTDVN0dXJnZW9uIE1haWwxGDAWBgNVBAMTD1Zp
> Y3RvciBTdHVyZ2VvbjEmMCQGCSqGSIb3DQEJARYXdmljdG9yQHN0dXJnZW9ubWFp
> bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJUk+v64R7gn0G
> A10PhY9Gz3c8qM9f/GFHbjN+/+IwFq9UMyFOt7JiWlRT3+dKxZsNH3tV8bfHy32B
> vTQKpd37LAdo99MrSNO2A5+awKLlv8mp7AIEf/Q2aEBSeSBdvbn9aGNTpnOkdmrm
> V9ewaUuA/Ew7u8qz1aeMFSm5YAuO1vZSQ3+mqDmO7hZHEJ4XOk+UKDw3A/GMwS7T
> IbA9uO1YSaysxkx//pPCJlV3T5uSodmO//xq20GOvRPp6yF7CS/+cypWZn8mIdxE
> Eu4ZbydW5JnWFN2dpnn6buPtH57VXh+N/hkJUHCEQvao9xihV+LwWSXjyzxXI7oV
> V0mZ53+RAgMBAAGjggE9MIIBOTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
> cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUNXEudkuLZUD9
> Kvtl00EskfCceU0wgd4GA1UdIwSB1jCB04AU8KerK52F1WKOJnanhpe9Anq2fJCh
> gbekgbQwgbExCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczETMBEGA1UE
> BxMKTmFwZXJ2aWxsZTEWMBQGA1UEChMNU3R1cmdlb24gTWFpbDEWMBQGA1UECxMN
> U3R1cmdlb24gTWFpbDEeMBwGA1UEAxMVU3R1cmdlb24gTWFpbCBSb290IENBMSow
> KAYJKoZIhvcNAQkBFhtwb3N0bWFzdGVyQHN0dXJnZW9ubWFpbC5jb22CAQAwDQYJ
> KoZIhvcNAQEEBQADggEBABKB8KYPUt7pwEOc+y+8iZYxHnDhi/DkZW5KOwu4j9J4
> MYtdwzFJCQi+51T++7X7cOGcHzhxtVznadlSEH+q2r7NFIRnyZWAKtaK6AWG5l0j
> nFN/t3fkgMXtVL4ImrCNme2ZxG+5irTXCSa3EvOCZRLQwPkvWTJpTZs4KRfm+wX5
> kDdmfMNpXthkJehNZS+wLsGAoUYkDc5wmeMGf8894l3MzGMiNSuwzv2TILEOGHad
> t4dJaIgETmG6HaSErWD4UhN4jp502RWd+nui/p7MVyRq4vYrvBMCd691WccVtWW7
> y4zlnVaQXoGHOsymuqvi6toE4By4P6/ssE7FfMDuvTY=</X509Certificate>
> </X509Data>
>    </KeyInfo>
>   <Object Id="object">some text</Object>
> </Signature>
>  
> Which verifies fine with
> victor at victors:~/xmlsec <mailto:victor at victors:%7E/xmlsec>> xmlsec1 
> --verify --trusted cacert.pem sign7.xml             
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
>  
> I notice that the xmlsec utility fills in the X509Data fields with the 
> X509Certificate info.
>  
> My question is, what do I need to do to have the utility also 
> automatically fill in the following info:
> X509IssuerSerial
> X509SubjectName
>  
> Thanks for your insight.
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20030424/f831ef4e/attachment.htm

More information about the xmlsec mailing list