[xmlsec] X509SubjectName use case
Benjamin Dauvergne
bdauvergne at entrouvert.com
Wed May 18 16:15:55 PDT 2011
I have a question about a use case where I do not see how to use
libxmlsec:
- shibboleth (an implementation of SAML2) is using metadata file to
declare trusted cryptographic keys between services; a KeyInfo can be
used to designate the susbject name of the certificate which shoud be
used to sign some XML content, each message is thus accompanied by
a KeyInfo with the full certificate included,
- at signature validation time, two operations must be made:
- check that the signature is made with a certificate which belong
to a trusted CA; I alreadt know how to do this by stuffing sucha
CA in a xmlSecKeysMngr which is passed to xmlSecDSigCtx
- check that the certificate has the required subject name,
I'm looking into implementing this use case with libxmlsec especially
the last operation.
In regards I would like to know how to make a kind of xmlSecKey that
I can pass to the xmlSecDSigCtx structure so that it only checks the
name of the certificate but does not force a certain key and let the key
store doing its job of validating the certificate.
Currently my impression is that I can only do this by hand or by
stuffing the certificate included in a signature into a xmlSecKeysMngr
and then to reread the metadata file so that the
X509Data/X509SubjectName can be resolved, which in my own view is
a complete reversal of the logical workflow to use in which resolution
of the subject-name would be done at signature validation code (i.e.
inside xmlSecDSigCtxVerify).
More information about the xmlsec
mailing list