[xmlsec] Re: question about dsigCtx->status
Rolando Abarca
funkaster at gmail.com
Fri Jun 20 10:11:10 PDT 2008
Ok, I got a little more info on the error:
From the other side (the place we're I'm sending the signed XML) the
response is:
The public key does not correspond to the certificate
This is how I'm signing the document (this is inside a ruby extension):
VALUE xmlsec_sign(VALUE self, VALUE cert_file, VALUE key_file, VALUE
node_uri) {
xmlNodePtr signNode = NULL;
xmlNodePtr refNode = NULL;
xmlNodePtr keyInfoNode = NULL;
xmlSecDSigCtxPtr dsigCtx = NULL;
ruby_xml_document_t *rxd;
char *filename;
int res = -1;
/* get libxml node from ruby VALUE */
Check_Type(key_file, T_STRING);
Data_Get_Struct(self, ruby_xml_document_t, rxd);
/* create signature template */
signNode = (xmlNodePtr)xmlSecTmplSignatureCreate(rxd->doc,
xmlSecTransformInclC14NId, xmlSecTransformRsaSha1Id, NULL);
if (signNode == NULL) {
rb_raise(rb_eXMLError, "Failed to create signature template");
}
xmlAddChild(xmlDocGetRootElement(rxd->doc), signNode);
/* add reference */
refNode = (xmlNodePtr)xmlSecTmplSignatureAddReference(signNode,
xmlSecTransformSha1Id, NULL, STR2CSTR(node_uri), NULL);
if (refNode == NULL) {
rb_raise(rb_eXMLError, "Failed to add reference to signature
template");
}
/* add key info */
keyInfoNode =
(xmlNodePtr)xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
if (keyInfoNode == NULL) {
rb_raise(rb_eXMLError, "Failed to add key info");
}
if ((xmlNodePtr)xmlSecTmplKeyInfoAddKeyValue(keyInfoNode) ==
NULL) {
rb_raise(rb_eXMLError, "Failed to add key value");
}
if ((xmlNodePtr)xmlSecTmplKeyInfoAddX509Data(keyInfoNode) ==
NULL) {
rb_raise(rb_eXMLError, "Failed to add X509 Data");
}
/* create sign context and sign the document */
dsigCtx = xmlSecDSigCtxCreate(NULL);
if(dsigCtx == NULL) {
rb_raise(rb_eXMLError, "Failed to create signature context");
}
filename = STR2CSTR(key_file);
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(filename,
xmlSecKeyDataFormatPem, NULL, NULL, NULL);
if(dsigCtx->signKey == NULL) {
xmlSecDSigCtxDestroy(dsigCtx);
rb_raise(rb_eXMLError, "Failed to load private key from %s",
filename);
}
/* add the X509 cert info */
filename = STR2CSTR(cert_file);
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, filename,
xmlSecKeyDataFormatPem) < 0) {
xmlSecDSigCtxDestroy(dsigCtx);
rb_raise(rb_eXMLError, "Failed to load certificate from %s",
filename);
}
/* sign */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
xmlSecDSigCtxDestroy(dsigCtx);
rb_raise(rb_eXMLError, "Signature failed");
}
xmlSecDSigCtxDestroy(dsigCtx);
/* dump to stdout */
return Qnil;
}
As you can see, I'm creating a template, adding the KeyInfo, Value and
X509 data. The key_file and cert_file are both the same (it's a PEM
file).
Any ideas on what could be the problem?
thanks a lot for any hint.
On Jun 20, 2008, at 12:26 PM, Rolando Abarca wrote:
> I'm trying to verify a XML I signed (using xmlsec), but I keep
> getting xmlSecDSigStatusUnknown as the status... what does it means?
> Currently, the XML is of the kind:
>
> <root>
> <A>
> <B>
> <Sing for B>
> <B>
> <Sign for B>
> </A>
> <Sign for A>
> </root>
>
> What I'm trying to check first, is the sign for A, but it fails...
> Any hints on where I should start looking?
> Regarding on how the tree is being constructed:
>
> Generate a B sub-tree, save it to a file. Load it and sign it.
> Generate an A sub-tree, add all B nodes, save it to a file. Load it
> and sign it.
> Generate the root node, add the A node. Save the file.
>
> Note: this save-load-sign routine is so far the only way I've found
> to preserve the whitespace (is there any other way?)
>
> regards
> --
> Rolando Abarca M.
>
--
Rolando Abarca M.
More information about the xmlsec
mailing list