[xmlsec] xmlsec
Alexander Trishin
trial at trishin.com
Fri Dec 23 09:19:37 PST 2005
I'm using xCBL 4.0 documents which define dgs prefix for xmldsig
<Invoice xmlns:dgs="http://www.w3.org/2000/09/xmldsig#" >
So I'm defining signature template as
<dgs:Signature>
<dgs:SignedInfo>
<dgs:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<dgs:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dgs:Reference URI="">
<dgs:Transforms>
<dgs:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</dgs:Transforms>
<dgs:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dgs:DigestValue/>
</dgs:Reference>
</dgs:SignedInfo>
<dgs:SignatureValue/>
<dgs:KeyInfo>
<dgs:KeyName/>
<dgs:X509Data><dgs:X509Certificate/>
</dgs:X509Data>
</dgs:KeyInfo>
</dgs:Signature>
After document is signed all elements still have dgs prefix but
X509Certificate:
<dgs:X509Data>
<X509Certificate
xmlns="http://www.w3.org/2000/09/xmldsig#">MIICAjCCAWugAwIBAgIQnS98DETrP7RGkaTvoI4evjANBgkqhkiG9w0BAQQFADAY
[skip]
</X509Certificate>
</dgs:X509Data>
Although it does not create a verification problem, I find it strange.
Is there a way to keep it consistent?
Thank you,
Alex.
Edward Shallow wrote:
>Hi Alex,
>
> Aleksey did understand you correctly. Simply initialize the <KeyName> in
>a template file (sample attached) and the private signing key will be
>extracted from the MS system key store (i.e. 'MY'). Rough sequence of calls
>(simplified) as follows:
>
> xmlParseFile('the template')
> xmlDocGetRootElement()
> xmlSecFindNode(rootNode, 'Signature',
>'http://www.w3.org/2000/09/xmldsig#')
> xmlSecKeysMngrCreate()
> xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
> xmlSecDSigCtxCreate()
> xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
> xmlSecDSigCtxSign(dsigCtx, sigNode)
>
> Depending on which crypto you are using the <KeyName> can contain either
>the short friendly name (from CN=...) or the full X509 Distinguished Name.
>Both will work. mscrypto for example will look first in the Simple Key Store
>if you have adopted one and then in the 'MY' certificate store for your
>signing key. In the above sequence, I did not load or adopt a Key Store, so
>mscrypto goes directly to the system key store 'MY'.
>
> Note: OpenSSL does not have a system key store.
>
>Cheers,
>Ed
>
>
>
>-----Original Message-----
>From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
>Behalf Of Alexander Trishin
>Sent: December 19, 2005 7:00 PM
>To: Aleksey Sanin
>Cc: xmlsec at aleksey.com
>Subject: Re: [xmlsec] xmlsec
>
>Aleksey,
>
>I probably didn't make myself clear.
>I'm looking at the code to produce a signed xml, the key info and
>certificate come from the external file for the sample.
>My question is - what functions should I use to change that? So that key
>info and Certificate come from the system store, and not from the file.
>
>Thank you in advance,
>Alex
>
>Aleksey Sanin wrote:
>
>
>
>>I am not a big mscrypto user myself and I hope someone will correct my
>>lies here... but I believe that you just need to put the key name
>>(i.e. certificate subject) into the <KeyName> element of your
>>signature template.
>>
>>Aleksey
>>
>>Alexander Trishin wrote:
>>
>>
>>
>>>Dear Friends,
>>>
>>>I'm trying to create a test console app to sign XML files with the
>>>X509 certificate. I took a look at samples provided but yet to figure
>>>out how do I sign an XML file with the Certificate that I already
>>>have in "MY" store. Certificate does have a private key.
>>>
>>>If someone can point me in the right direction or has sample I'd be
>>>greatly appreciated.
>>>
>>>Platform is Windows with ms crypto library.
>>>
>>>Thank you,
>>>Alex.
>>>_______________________________________________
>>>xmlsec mailing list
>>>xmlsec at aleksey.com
>>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>
>>
>>
>>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
More information about the xmlsec
mailing list