[xmlsec] Re: question about dsigCtx->status
Aleksey Sanin
aleksey at aleksey.com
Fri Jun 20 13:36:25 PDT 2008
Please attach the actual signed file.
Aleksey
Rolando Abarca wrote:
> Ok, I got a little more info on the error:
>
> From the other side (the place we're I'm sending the signed XML) the
> response is:
>
> The public key does not correspond to the certificate
>
> This is how I'm signing the document (this is inside a ruby extension):
>
> VALUE xmlsec_sign(VALUE self, VALUE cert_file, VALUE key_file, VALUE
> node_uri) {
> xmlNodePtr signNode = NULL;
> xmlNodePtr refNode = NULL;
> xmlNodePtr keyInfoNode = NULL;
> xmlSecDSigCtxPtr dsigCtx = NULL;
> ruby_xml_document_t *rxd;
> char *filename;
> int res = -1;
>
> /* get libxml node from ruby VALUE */
> Check_Type(key_file, T_STRING);
> Data_Get_Struct(self, ruby_xml_document_t, rxd);
> /* create signature template */
> signNode = (xmlNodePtr)xmlSecTmplSignatureCreate(rxd->doc,
> xmlSecTransformInclC14NId, xmlSecTransformRsaSha1Id, NULL);
> if (signNode == NULL) {
> rb_raise(rb_eXMLError, "Failed to create signature template");
> }
> xmlAddChild(xmlDocGetRootElement(rxd->doc), signNode);
> /* add reference */
> refNode = (xmlNodePtr)xmlSecTmplSignatureAddReference(signNode,
> xmlSecTransformSha1Id, NULL, STR2CSTR(node_uri), NULL);
> if (refNode == NULL) {
> rb_raise(rb_eXMLError, "Failed to add reference to signature
> template");
> }
> /* add key info */
> keyInfoNode = (xmlNodePtr)xmlSecTmplSignatureEnsureKeyInfo(signNode,
> NULL);
> if (keyInfoNode == NULL) {
> rb_raise(rb_eXMLError, "Failed to add key info");
> }
> if ((xmlNodePtr)xmlSecTmplKeyInfoAddKeyValue(keyInfoNode) == NULL) {
> rb_raise(rb_eXMLError, "Failed to add key value");
> }
> if ((xmlNodePtr)xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
> rb_raise(rb_eXMLError, "Failed to add X509 Data");
> }
>
> /* create sign context and sign the document */
> dsigCtx = xmlSecDSigCtxCreate(NULL);
> if(dsigCtx == NULL) {
> rb_raise(rb_eXMLError, "Failed to create signature context");
> }
> filename = STR2CSTR(key_file);
> dsigCtx->signKey = xmlSecCryptoAppKeyLoad(filename,
> xmlSecKeyDataFormatPem, NULL, NULL, NULL);
> if(dsigCtx->signKey == NULL) {
> xmlSecDSigCtxDestroy(dsigCtx);
> rb_raise(rb_eXMLError, "Failed to load private key from %s",
> filename);
> }
> /* add the X509 cert info */
> filename = STR2CSTR(cert_file);
> if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, filename,
> xmlSecKeyDataFormatPem) < 0) {
> xmlSecDSigCtxDestroy(dsigCtx);
> rb_raise(rb_eXMLError, "Failed to load certificate from %s",
> filename);
> }
> /* sign */
> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
> xmlSecDSigCtxDestroy(dsigCtx);
> rb_raise(rb_eXMLError, "Signature failed");
> }
> xmlSecDSigCtxDestroy(dsigCtx);
> /* dump to stdout */
> return Qnil;
> }
>
> As you can see, I'm creating a template, adding the KeyInfo, Value and
> X509 data. The key_file and cert_file are both the same (it's a PEM file).
> Any ideas on what could be the problem?
>
> thanks a lot for any hint.
>
> On Jun 20, 2008, at 12:26 PM, Rolando Abarca wrote:
>
>> I'm trying to verify a XML I signed (using xmlsec), but I keep getting
>> xmlSecDSigStatusUnknown as the status... what does it means?
>> Currently, the XML is of the kind:
>>
>> <root>
>> <A>
>> <B>
>> <Sing for B>
>> <B>
>> <Sign for B>
>> </A>
>> <Sign for A>
>> </root>
>>
>> What I'm trying to check first, is the sign for A, but it fails... Any
>> hints on where I should start looking?
>> Regarding on how the tree is being constructed:
>>
>> Generate a B sub-tree, save it to a file. Load it and sign it.
>> Generate an A sub-tree, add all B nodes, save it to a file. Load it
>> and sign it.
>> Generate the root node, add the A node. Save the file.
>>
>> Note: this save-load-sign routine is so far the only way I've found to
>> preserve the whitespace (is there any other way?)
>>
>> regards
>> --
>> Rolando Abarca M.
>>
>
More information about the xmlsec
mailing list