[xmlsec] Verifying signature with embedded x509 cert

Jim Nutt jim at nuttz.org
Tue Dec 4 16:38:38 PST 2007


Ok, a bit more info. The xmlsec utility will verify the signature without
being passed the pem file separately, so it apparently is able to suck the
key from the signature. I'm trying to create a minimal size code set that
demonstrates the problem, I'll post that when I have it.

On Dec 4, 2007 10:29 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Try this one then xmlSecOpenSSLAppKeyCertLoadMemory()
>
> Aleksey
>
> Jim Nutt wrote:
> > No joy. It refuses to load the key. The irony is that I can use the
> > xmlsec utility and pass it the name of the temp file I create with the
> > key and it will load and verify. It just won't do it in my program.
> > Here's the errors I'm seeing:
> >
> > func=xmlSecOpenSSLAppKeyLoadBIO:file=
> app.c:line=260:obj=unknown:subj=d2i_PrivateKey_bio
> > and d2i_PUBKEY_bio:error=4:crypto library function failed:
> > func=xmlSecOpenSSLAppKeyLoadMemory:file=
> app.c:line=193:obj=unknown:subj=xmlSecOpenSSLAppKeyLoadBIO:error=1:xmlsec
> > library function failed:
> > func=xmlSecDSigCtxProcessKeyInfoNode:file=
> xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> > is not found:
> > func=xmlSecDSigCtxProcessSignatureNode:file=
> xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> > library function failed:
> > func=xmlSecDSigCtxVerify:file=
> xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> > library function failed:
> >
> > The signature will verify with the xmlsec utility if I pass it the cert,
> > just not from my program. My next step is to reduce things to the bare
> > essentials and try again
> >
> > On Dec 4, 2007 2:03 AM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>> wrote:
> >
> >     xmlSecOpenSSLAppKeyLoadMemory() ???
> >
> >     Aleksey
> >
> >     Jim Nutt wrote:
> >      > Ok, I'm pulling my hair out on this one. I'm trying to verify an
> xml
> >      > signature based on the x509 certificate embedded in the keyinfo
> >     and I
> >      > can not get it to work. If I verify using the same pem file I
> >     used for
> >      > signing, it verifies ok, so I know the signature is valid. The
> >     problem
> >      > is getting it to validate without going to the original pem file.
> >     I've
> >      > tried the straight forward method of letting xmlSecDSigVerify
> >     load the
> >      > key, but it can't find the key in signature. I've even tried
> >     writing the
> >      > base64 data to a file (bracketed with -----BEGIN CERTIFICATE-----
> >     and
> >      > -----END CERTIFICATE-----) and then loading that file as the
> >      > certificate. It refuses to read the file. And yes, I know the
> >     file is a
> >      > valid pem file because openssl x509 -in filename -text reads it
> >     just fine.
> >      >
> >      > Any suggestions would be greatly appreciated, as I'm on a time
> >     crunch on
> >      > this (now... wasn't when I started... *sigh*)
> >      >
> >      > --
> >      > Jim Nutt
> >      > http://jim.nuttz.org <http://jim.nuttz.org>
> >      >
> >      >
> >      >
> >
> ------------------------------------------------------------------------
> >      >
> >      > _______________________________________________
> >      > xmlsec mailing list
> >      > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> >      > http://www.aleksey.com/mailman/listinfo/xmlsec
> >     <http://www.aleksey.com/mailman/listinfo/xmlsec>
> >
> >
> >
> >
> > --
> > Jim Nutt
> > http://jim.nuttz.org
>



-- 
Jim Nutt
http://jim.nuttz.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20071204/81064b89/attachment-0002.htm


More information about the xmlsec mailing list