[xmlsec] How to ignore KeyInfo/X509Data in response
Aleksey Sanin
aleksey at aleksey.com
Tue May 21 21:10:54 PDT 2013
If you know the public key in advance then you can set it in xmlDsigCtx
Aleksey
On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
> Hi All,
>
> We are using XMLSec to handle XML signature and encryption in SAML 1.0 and 2.0 protocols. We are pre-configed the configuration data such as IDP certificate using metadata. So even the response include "KeyInfo/X509Data", we will ignore it then using local pre-config certificate to verify it and we assume SP totally trust this certificate. So also we won't use CA certificate to verify the pre-config certificate's legitimacy.
>
> I dig into code then find:
>
> /* ignore <dsig:KeyInfo /> if there is the key is already set */
> /* todo: throw an error if key is set and node != NULL? */
> if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr != NULL)
> && (dsigCtx->keyInfoReadCtx.keysMngr->getKey != NULL)) {
> dsigCtx->signKey = (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, &(dsigCtx->keyInfoReadCtx));
> }
>
> Does it means I need to set dsigCtx->signKey? And what's meaning of dsigCtx->signKey? Is it private key from IDP? (we never can get private key from IDP). How can I meet this requirement by xmlsec?
>
>
> Thanks,
>
> Jeffrey
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list