[xmlsec] Signing a document with an X509 certificate doesn't populate the X509Data node
Aleksey Sanin
aleksey at aleksey.com
Wed Feb 23 11:33:14 PST 2011
Make sure that you actually have *both* private key and certificate in
the usercert.p12
Aleksey
On 2/23/11 11:24 AM, Nigel Ramsay wrote:
> Hi
>
> We are trying to sign an XMl document with an X509 certificate, but
> any having problems getting the X509Data node populated.
>
> We are following Philippe Camacho's tutorial here:
> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7>
>
> The command that we use is copied from the tutorial, and we are using
> the keysncerts.zip file that contains the appropriate keys and
> certificates.
>
> The command (using v 1.2.16 on Mac OSX 10.6) is:
> xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem cacert.pem --pwd
> hello doc-x509.xml
>
> The contents of the doc-x509.xml is (the document we are trying to sign):
> <References>
> <Book>
> <Author>
> <FirstName>Bruce</FirstName>
> <LastName>Schneier</LastName>
> </Author>
> <Title>Applied Cryptography</Title>
> </Book>
> <Web>
> <Title>XMLSec</Title>
> <Url>http://www.aleksey.com/xmlsec/</Url>
> </Web>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm=
> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> <SignatureMethod Algorithm=
> "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="">
> <Transforms>
> <Transform Algorithm=
> "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> </Transforms>
> <DigestMethod Algorithm=
> "http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue></DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue />
> <KeyInfo>
> <X509Data >
> <X509SubjectName/>
> <X509IssuerSerial/>
> <X509Certificate/>
> </X509Data>
> <KeyValue />
> </KeyInfo>
> </Signature>
> </References>
>
> We get this output from running the command:
>
> <?xml version="1.0"?>
> <References>
> <Book>
> <Author>
> <FirstName>Bruce</FirstName>
> <LastName>Schneier</LastName>
> </Author>
> <Title>Applied Cryptography</Title>
> </Book>
> <Web>
> <Title>XMLSec</Title>
> <Url>http://www.aleksey.com/xmlsec/</Url>
> </Web>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
> lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
> twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
> <KeyInfo>
> <X509Data>
> </X509Data>
> <KeyValue>
> <RSAKeyValue>
> <Modulus>
> vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
> aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
> GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
> </Modulus>
> <Exponent>
> AQAB
> </Exponent>
> </RSAKeyValue>
> </KeyValue>
> </KeyInfo>
> </Signature>
> </References>
>
> As you can see, the X509Data node is blank.
>
> We have tried including the --print-xml-debug option, and this shows a
> number of fields, including:
>
> <X509Data>
> <KeyCertificate>
> <SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
> Smith/emailAddress=jsmith at hello.com
> <mailto:jsmith at hello.com></SubjectName>
> <IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
> Camacho/emailAddress=lostilos at free.fr
> <mailto:lostilos at free.fr></IssuerName>
> <SerialNumber>11E</SerialNumber>
> </KeyCertificate>
> </X509Data>
>
> We have also tried these commands with our own generated keys, and
> different XML files too. We get the same result each time.
>
> I have searched this mailing list, and note that Braja Biswal had a
> similar problem:
> http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
>
> We would really appreciate any help, as we seem to be out of ideas.
> Our last idea is to try the same approach using Ubuntu - perhaps this
> is "a Mac thing". We used MacPorts to install Xmlsec.
>
> Thanks
>
> Nigel
>
>
>
> --
> Nigel Ramsay
> Principal Consultant
> Able Technology
>
> 04 910 3100
> 021 323 990
> http://www.abletech.co.nz
> http://nigel.ramsay.org.nz
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110223/9d545aa2/attachment.html>
More information about the xmlsec
mailing list