[xmlsec] How to sign without an exportable key
Erik F. Andersen
ea at ascott.dk
Sat Jan 22 07:24:42 PST 2005
Hello!
Up until now I have used a PKCS#12 file to sign documents in xmlsec (using MSCrypto). Now I'm faced with the problem that I cannot create a PKCS#12 file because the private keys are not exportable. How can I handle this in xmlsec?
I was thinking about something like this:
1) First I retrieve a PCERT_CONTEXT from MSCrypto
2) Now I call xmlSecMSCryptoCertAdopt to get a xmlSecKeyDataPtr
3) Third I create a new xmlSecKeyPtr by calling xmlSecKeyCreate
4) Now I call xmlSecKeySetValue(xmlSecKeyPtr, xmlSecKeyDataPtr)
5) I now create a xmlSecDSigCtx using xmlSecDSigCtxCreate
6) I can now assign xmlSecDSigCtx->signKey with the xmlSecKeyPtr
7) Last I call xmlSecDSigCtxSign
Will this approach work and is it a good one?
At what stage will MSCrypto ask me to enter the password in order to encrypt the document (my guess is at stage 7).
If I have several documents that need signing will this method force MSCrypto to prompt me for a password every time or is there a way around this problem? I thought about using a keys manager but I have no idea how to do this and even if it will solve my problem.
I have looked through all examples without getting a clear idea on how to solve my problem.
Thanks,
Erik F. Andersen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20050122/248c04dd/attachment.htm
More information about the xmlsec
mailing list