[xmlsec] Re: parsing signature.xml
Aleksey Sanin
aleksey at aleksey.com
Fri Apr 3 10:24:26 PST 2009
Yes, all of the above is done by xmlsec during signature verification.
However, the online tool you've mentioned supports only ONE root
certificate. You have to write your own program to do that or use
xmlsec command line tool.
Aleksey
Ashish Agrawal wrote:
> Hi Aleksey,
>
> thanks for ur reply, Let me try to elaborate.
>
> I ve one one signature.xml file which has two x509 certificates as part
> of x509Certificate tag plus one root ca certifiacte file as roorcert.crt
> file.
> I ve to verify the following:
>
> 1. Verify signataturemethod, canonicalization method and digest method.
> 2. Verify the digest value for all the reference tags which as sha256 hash.
> 3. verify SignatureValue which is calculated over the signed info using
> the first x509certificate
> 4. verify the certificate chain, ( two certs embedded in the
> signature.xml file ) and one crt file outside.
>
> i need to do the above mentioned verification using the programming
> API's , can u pls suggest if this can be done using one api or i ve
> to divide each verification,
>
> also pls suggest if i ve to get my input certificate in some other format.
>
> ~Ashish
>
>
>
> On Fri, Apr 3, 2009 at 11:37 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> Sorry, I am not sure I understand the question about the online
> tool. Could you please give more details? E.g. error messages
> you see?
>
> Regarding things verified... Yes, xmlsec verifies the signature
> according to XMLDsig standard and also performs the certificates
> chain verification.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
>
>
> On Fri, Apr 3, 2009 at 3:48 PM, Ashish Agrawal
> <meetashish at gmail.com <mailto:meetashish at gmail.com>
> <mailto:meetashish at gmail.com <mailto:meetashish at gmail.com>>> wrote:
>
> Hi Aleksey,
>
> I ve a doubt on the sample implementation which is present at
> http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html.
> My understanding is, the xml file is the signature.xml file which
> contains the signatureValue and the x509 certificates,
>
> when it asks for another pem certifaicate does it mean to get the
> root CA certificate which has signed one of the x509 cert
> present in
> the signature.xml file.
>
> also when we say verification (xmlSecDSigCtxVerify) what all
> things
> are verified from the signature.xml, does it do
>
> 1. signatureValue verification
> 2. root chain verification ?
> can u let me know is there is nything else that is verified ?
>
> ~Regards,
> Ashish
>
>
>
More information about the xmlsec
mailing list