[xmlsec] Key Manager with multiple key

Aleksey Sanin aleksey at aleksey.com
Mon Mar 10 08:57:20 PST 2008


If there is only one key in the KM and it matches the key type
required by the signature then it is used automatically.

If there are multiple keys in the KM then you need to use
key name, or any other way of selecting the key from the KM.

Aleksey

chia pern hui wrote:
> Hi,
> 
> I am using libxmlsec1 1.2.9-5 and libssl0.9.7.
> I am using the simple key manager as provided by xmlsec.
> 
> May I ask whether the default manager class supports loading of multiple keys?
> I failed to verify a signed document after loading a list of keys (mix
> of correct and false PU keys).
> Meanwhile, if I load only the correct key, signature verifies correctly.
> 
> Any help will be much appreciated. Thanks!
> 
> Br, Pern Hui
> 
> 
> Program adopted from the example
> =====================
> 
>     	key = xmlSecCryptoAppKeyLoad(keyfile, xmlSecKeyDataFormatPem,
> NULL, NULL, NULL);
>     	if(xmlSecKeySetName(key, BAD_CAST keyfile) < 0) {
>             fprintf(stderr,"Error: failed to set key name for key from
> \"%s\"\n", keyfile);
>     	    xmlSecKeyDestroy(key);
>     	    return(-1);
>     	}
>     	    	
>     	if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
>         	fprintf(stderr,"Error: failed to add key from \"%s\" to keys
> manager\n", keyfile);
>     	    xmlSecKeyDestroy(key);
>     	    return(-1);
>     	}
> 
> 
> Signature verification fails when i load 2 keys into the manager
> =====================================
> 
> __loaded key "public/pchia at test.com.pubkey.pem"
> __loaded key "public/alice at test.com.pubkey.pem"
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=FI/ST=Helsinki/L=Helsinki/O=test/OU=Student/CN=Alice/emailAddress=alice at test.com;err=20;msg=unable
> to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data
> do not match:signature do not match
> 
> 
> Verification succeeds if i load only alice's key into the manager
> ====================================
> 
> __loaded key "public/alice at test.com.pubkey.pem"
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=FI/ST=Helsinki/L=Helsinki/O=test/OU=Student/CN=Alice/emailAddress=alice at test.com;err=20;msg=unable
> to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> __signature OK
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list