[xmlsec] Re: validating a certificate chain without <KeyInfo>

Aleksey Sanin aleksey at aleksey.com
Wed Jun 20 08:16:17 PDT 2007


xmlsec will not try to validate dSigCtx->signKey because it is supplied
by the user. If you have the key/cert in memory then you can perform
certificate validation yourself using standard crypto library functions.
This is outside xmlsec.

Aleksey

Arnoud Zwemmer wrote:
> Hi Aleksey,
> 
> I have a question regarding validation of a certificate chain when I got both certificates in the chain in memory. For XML verification, I have the server certificate in memory (it's not in the signed XML file's <KeyInfo>, but I know I need to use this cert/key). Using xmlSecCryptoAppKeyLoadMemory() to load the key from this server cert in dSigCtx->signKey works fine, verification succeeds.
> 
> Now I want to validate this cert with the CA cert before I use it. I have the CA cert in memory as well. From the samples it seemed to me that I had to create a keys manager for this 'certificate chain' purpose. So I load the CA cert as trusted cert into the keys manager. I can load the server cert into the keys manager as well (as untrusted, or type Any), but then, since the signed XML file is lacking any <KeyInfo>, I cannot verify the XML file because xmlSecDSigCtxVerify() does not have a key... because I (and the samples) don't use xmlSecCryptoAppKeyLoadMemory() to populate dSigCtx->signKey in this case.
> 
> I guess normally xmlSecDSigCtxVerify() expects a <KeyInfo> element in the signed XML with either an X509 certificate or at least a name for matching it to a cert in the keys manager, correct? So I'm assuming that's why this does not work. 
> 
> How would I use the API to either obtain this server cert/key from the keys manager (with FindKey() maybe, but then again I don't give the keys an ID when I load them into the keys manager, and is the certificate validated in the process?) or is there another way to just validate a certificate before I use the cert to extract a key and verify an XML signature.
> 
> Thanks!
> 
> Arnoud.
> 
> 
> 
> 
> 
>  
> ____________________________________________________________________________________
> Now that's room service!  Choose from over 150,000 hotels
> in 45,000 destinations on Yahoo! Travel to find your fit.
> http://farechase.yahoo.com/promo-generic-14795097



More information about the xmlsec mailing list