[xmlsec] Signing a document with an X509 certificate doesn't populate the X509Data node
Aleksey Sanin
aleksey at aleksey.com
Wed Feb 23 13:47:39 PST 2011
Thanks. Seems like both key and cert are there. Not sure what went wrong...
On 2/23/11 12:43 PM, Nigel Ramsay wrote:
> Sure...
>
> Not entirely sure on the exact syntax to use. This is what we got:
>
> openssl pkcs12 -info -in keysncerts/usercert.p12
>
> Enter Import Password:
> MAC Iteration 2048
> MAC verified OK
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
> Certificate bag
> Bag Attributes
> localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7
> 82 8C
> subject=/C=CL/ST=RM/O=littlecryptographer/CN=John
> Smith/emailAddress=jsmith at hello.com <mailto:jsmith at hello.com>
> issuer=/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
> Camacho/emailAddress=lostilos at free.fr <mailto:lostilos at free.fr>
> -----BEGIN CERTIFICATE-----
> MIIC6DCCAlGgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwgYcxCzAJBgNVBAYTAkNM
> MQswCQYDVQQIEwJSTTERMA8GA1UEBxMIU2FudGlhZ28xHDAaBgNVBAoTE2xpdHRs
> ZWNyeXB0b2dyYXBoZXIxGTAXBgNVBAMTEFBoaWxpcHBlIENhbWFjaG8xHzAdBgkq
> hkiG9w0BCQEWEGxvc3RpbG9zQGZyZWUuZnIwHhcNMDgwMTE5MTI1MjM3WhcNMDkw
> MTE4MTI1MjM3WjBuMQswCQYDVQQGEwJDTDELMAkGA1UECBMCUk0xHDAaBgNVBAoT
> E2xpdHRsZWNyeXB0b2dyYXBoZXIxEzARBgNVBAMTCkpvaG4gU21pdGgxHzAdBgkq
> hkiG9w0BCQEWEGpzbWl0aEBoZWxsby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
> MIGJAoGBALwShIDVij20XFC8V3Bs8Xn6b3uRa8rnPgkMCc92LoxNc/IzCriw9gu9
> NGps/bwanWgZbK5va46Y27axFhHo2uNk9ZE2lj0UQegFdBGlEIOt9hlpHFSqTnmX
> AKraSHd2yxhVe+JqGIrtyTQluWVNPOCKXd8zubFgWqlUMXMrn8JzAgMBAAGjezB5
> MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
> cnRpZmljYXRlMB0GA1UdDgQWBBQ08GE4h2jHJZOGkDUyQE9EEPMqlDAfBgNVHSME
> GDAWgBT+y1YLKOsq6cec6uU61UxVhNvUajANBgkqhkiG9w0BAQUFAAOBgQAVZMDa
> KVhvX2qOMlcjX7i6DESF7SDyEbjfPk+bYIDm+al45lmzixkFeYUUQcFJMG0s152A
> kFd/fTVMfz/j37OQYxUYwwZQlMW3dVnC+CvjtMlSrReeHThhQFQpO16i21aDitON
> 1TFsvO8T+21YGB4kne44vry6O4JJPy8EZBsfbw==
> -----END CERTIFICATE-----
> PKCS7 Data
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
> Bag Attributes
> localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7
> 82 8C
> Key Attributes: <No Attributes>
>
> It then prompts for a password:
>
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
>
> I entered "password" and got this...
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,058FCED319755EBF
>
> rlRk7UJFjOmpFIQsb0D4g7nHKuKy5spYUWfOEjM9wBNR97/4lW7nNmNsEGWpg8ZB
> PbPY5WDxF2XOO9FLnBWD7SZvBOD7aaKiPX0bfiwutvVotlyvYDgkBJJT1H8wwQbd
> 7/yM3pqowc22JpLBiCO2Bs7wHz+xHGZvLW7H6J1VZYvqqFdGoN6jbcyLadZ3U+rn
> HeqsKRpSTqPT7wPr7SQA0SjcV+QW1TtKgozoYdBqXh3YHGzGwpYA1pGZogZZSSE8
> 6rOPpV0k/3jJE19FI2A39kDZLlDnOfcPu44Qi7e7J+xmN7h+waceXcIqhZY/QDVq
> slfX41/7BjQfxQPeXIJ6gNt3GbP0mJF42Rra6yy2oN3xx7zIBRALmplZIWvI2HTJ
> m6Lb6o1/Ag2C8vGKgxM1dL2EUXFeZVEl/clPWZHJ49arPgAt7UpgAFM1GFdANNkB
> O9O87LPJxE+W7hR7otpkr0UVHUOeOBaFd70POTtPf4efdXcAt5+QCRj7EoyRRbIk
> xueW3WUXibAYiDcAyoLRlPj+OaopbdAy99efCM4o0oIHEI9tWN7UGdCVV/8+LZIs
> CEkflcUtSQIe0q8eC+RhfDvjL9MM32znz2vSvqa3s9jhXfedDzAKESv808NQy+mW
> LkSumr81qs5pSeT7MU9iqYylyBrRT1rCVHq7ahaJ8Xg5AiwP06bkLuz7GJ6zmcvl
> Qw7PByfHfOE3dpyb2KBg9WwMycud+y+gNKFBQVVCqlEMuU4zguXkpReHWld9F1VX
> /3W3Ts/bBOWJ+c1O0/RGVgb8etWlgz0fme+urXq7zZPjXWVJehrAwA==
> -----END RSA PRIVATE KEY-----
>
>
>
>
>
>
> On Thu, Feb 24, 2011 at 8:57 AM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> Thanks for update. If you have a second, could you please try to
> run openssl pkcs12 command on Mac
> to see the content of the usercert.p12 file?
>
> Aleksey
>
>
> On 2/23/11 11:54 AM, Nigel Ramsay wrote:
>> Hi Aleksey
>>
>> As I suggested, I tried it on Ubuntu - and it just worked.
>>
>> It must have been a "mac thing".
>>
>> I've now gone a repeated the exact same steps on both Ubuntu 10.4
>> and OSX 10.6 with differing results - the Ubuntu version produced
>> the required output, while the Mac version did not.
>>
>> For those who are interested, these are the simple steps I followed:
>>
>> *Mac*
>>
>> port install xmlsec
>> wget
>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
>> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
>> unzip keysncerts.zip
>> wget
>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
>> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
>> xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
>> keysncerts/cacert.pem --pwd hello doc-x509.xml
>>
>> *Ubuntu*
>>
>> apt-get install xmlsec1
>> wget
>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
>> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
>> unzip keysncerts.zip
>> wget
>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
>> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
>> xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
>> keysncerts/cacert.pem --pwd hello doc-x509.xml
>>
>> So anyway - thanks Aleksey for a very handy tool. There's nothing
>> else out there like it. Certainly nothing in "Ruby land" where we
>> do most of our work.
>>
>> Cheers
>>
>> Nigel
>>
>>
>>
>>
>> On Thu, Feb 24, 2011 at 8:33 AM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>> wrote:
>>
>> Make sure that you actually have *both* private key and
>> certificate in the usercert.p12
>>
>> Aleksey
>>
>>
>> On 2/23/11 11:24 AM, Nigel Ramsay wrote:
>>> Hi
>>>
>>> We are trying to sign an XMl document with an X509
>>> certificate, but any having problems getting the X509Data
>>> node populated.
>>>
>>> We are following Philippe Camacho's tutorial here:
>>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
>>> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7>
>>>
>>> The command that we use is copied from the tutorial, and we
>>> are using the keysncerts.zip file that contains the
>>> appropriate keys and certificates.
>>>
>>> The command (using v 1.2.16 on Mac OSX 10.6) is:
>>> xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem
>>> cacert.pem --pwd hello doc-x509.xml
>>>
>>> The contents of the doc-x509.xml is (the document we are
>>> trying to sign):
>>> <References>
>>> <Book>
>>> <Author>
>>> <FirstName>Bruce</FirstName>
>>> <LastName>Schneier</LastName>
>>> </Author>
>>> <Title>Applied Cryptography</Title>
>>> </Book>
>>> <Web>
>>> <Title>XMLSec</Title>
>>> <Url>http://www.aleksey.com/xmlsec/</Url>
>>> </Web>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>> <SignedInfo>
>>> <CanonicalizationMethod Algorithm=
>>> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>> <SignatureMethod Algorithm=
>>> "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <Reference URI="">
>>> <Transforms>
>>> <Transform Algorithm=
>>> "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>> </Transforms>
>>> <DigestMethod Algorithm=
>>> "http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue></DigestValue>
>>> </Reference>
>>> </SignedInfo>
>>> <SignatureValue />
>>> <KeyInfo>
>>> <X509Data >
>>> <X509SubjectName/>
>>> <X509IssuerSerial/>
>>> <X509Certificate/>
>>> </X509Data>
>>> <KeyValue />
>>> </KeyInfo>
>>> </Signature>
>>> </References>
>>>
>>> We get this output from running the command:
>>>
>>> <?xml version="1.0"?>
>>> <References>
>>> <Book>
>>> <Author>
>>> <FirstName>Bruce</FirstName>
>>> <LastName>Schneier</LastName>
>>> </Author>
>>> <Title>Applied Cryptography</Title>
>>> </Book>
>>> <Web>
>>> <Title>XMLSec</Title>
>>> <Url>http://www.aleksey.com/xmlsec/</Url>
>>> </Web>
>>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>> <SignedInfo>
>>> <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>> <SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <Reference URI="">
>>> <Transforms>
>>> <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>> </Transforms>
>>> <DigestMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
>>> </Reference>
>>> </SignedInfo>
>>> <SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
>>> lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
>>> twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
>>> <KeyInfo>
>>> <X509Data>
>>> </X509Data>
>>> <KeyValue>
>>> <RSAKeyValue>
>>> <Modulus>
>>> vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
>>> aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
>>> GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
>>> </Modulus>
>>> <Exponent>
>>> AQAB
>>> </Exponent>
>>> </RSAKeyValue>
>>> </KeyValue>
>>> </KeyInfo>
>>> </Signature>
>>> </References>
>>>
>>> As you can see, the X509Data node is blank.
>>>
>>> We have tried including the --print-xml-debug option, and
>>> this shows a number of fields, including:
>>>
>>> <X509Data>
>>> <KeyCertificate>
>>> <SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
>>> Smith/emailAddress=jsmith at hello.com
>>> <mailto:jsmith at hello.com></SubjectName>
>>> <IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
>>> Camacho/emailAddress=lostilos at free.fr
>>> <mailto:lostilos at free.fr></IssuerName>
>>> <SerialNumber>11E</SerialNumber>
>>> </KeyCertificate>
>>> </X509Data>
>>>
>>> We have also tried these commands with our own generated
>>> keys, and different XML files too. We get the same result
>>> each time.
>>>
>>> I have searched this mailing list, and note that Braja
>>> Biswal had a similar problem:
>>> http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
>>>
>>> We would really appreciate any help, as we seem to be out of
>>> ideas. Our last idea is to try the same approach using
>>> Ubuntu - perhaps this is "a Mac thing". We used MacPorts to
>>> install Xmlsec.
>>>
>>> Thanks
>>>
>>> Nigel
>>>
>>>
>>>
>>> --
>>> Nigel Ramsay
>>> Principal Consultant
>>> Able Technology
>>>
>>> 04 910 3100
>>> 021 323 990
>>> http://www.abletech.co.nz
>>> http://nigel.ramsay.org.nz
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> --
>> Nigel Ramsay
>> Principal Consultant
>> Able Technology
>>
>> 04 910 3100
>> 021 323 990
>> http://www.abletech.co.nz
>> http://nigel.ramsay.org.nz
>>
>
>
>
> --
> Nigel Ramsay
> Principal Consultant
> Able Technology
>
> 04 910 3100
> 021 323 990
> http://www.abletech.co.nz
> http://nigel.ramsay.org.nz
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110223/1223bc7e/attachment-0001.html>
More information about the xmlsec
mailing list