[xmlsec] remote or external private keys
Quenin Bertrand
bquenin at axway.com
Tue Sep 28 05:01:36 PDT 2004
Hi,
I'd like to implement another (proprietary) PKI and crypto engine with xmlsec. Crypto engine seems to be well segmented in the api as far as i can see, but PKI material seems not. I was wondering if it was possible to use external (or remote) private keys. Let me explain my point of view. I need to reference keys via criterion (such as aliases or key parameters) but i have no direct access to private keys. I've noticed the following problems:
1) Custom keys store don't provide any certificate or X509 Data based retrieval method, i only found this method which is obviously based on a character string.
XMLSEC_EXPORT xmlSecKeyPtr xmlSecKeysMngrFindKey (xmlSecKeysMngrPtr mngr,
const xmlChar* name,
xmlSecKeyInfoCtxPtr keyInfoCtx);
So, even if i wanted to implement a custom keys store, I won't be able to select corresponding key on signature verification for example (considering envelope use X509IssuerSerial KeyInfo element).
2) Keys are represented under proprietary format. I said I can't access to private keys directly but I have a set of criterion identifying a key (more precisely a certificate). How can I configure xmlsec for signature operation using such key description ?
Here is a small schema of what I want to achieve:
Private key descriptor
(few parameters like aliases,
I.e. certificate alias)
|
---------------------
|My Security Library|
---------------------
|
-------------------- (2) Use the key handle --------------------
| xmlsec |---------------------------| My Crypto engine |
-------------------- retrieved in my PKI DB --------------------
| for performing the signature
|
(1) Retrieve a key
handle via the key
descriptor
|
--------------------
| My PKI DB |
--------------------
Thanks in advance
More information about the xmlsec
mailing list