[xmlsec] How to ignore KeyInfo/X509Data in response

Aleksey Sanin aleksey at aleksey.com
Tue May 21 21:45:52 PDT 2013


Private key in cert/cicert.pem file? Really?

Aleksey

On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote:
> Aleksey,
> 
> The cert in cert/ folder but I got the error as bellows:
> 
> [jabber at localhost xmlsec-demo]$ ./verify1 example/sample-res.xml
> cert/cicert.pem 
> func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PEM_re
> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function
> failed: 
> func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSecOpe
> nSSLAppKeyLoadBIO:error=1:xmlsec library function
> failed:filename=cert/cicert.pem;errno=0
> Error: failed to load public pem key from "cert/cicert.pem"
> 
> -Jeffrey
> 
> 
> 
> On 5/22/13 12:17 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
> 
>> If you set the key in xmldsigctx then it will never get there anyway.
>>
>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples
>> in the xmlsec1 command line tool source code)
>>
>> Aleksey
>>
>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
>>> Thanks Aleksey quick response. I will try it.
>>> I have another question: how to disable certificate validation in
>>> xmlsec?
>>>
>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>
>>>> If you know the public key in advance then you can set it in xmlDsigCtx
>>>>
>>>> Aleksey
>>>>
>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>>>> Hi All,
>>>>>
>>>>> We are using XMLSec to handle XML signature and encryption in SAML 1.0
>>>>> and 2.0 protocols. We are pre-configed the configuration data such as
>>>>> IDP certificate using metadata. So even the response include
>>>>> "KeyInfo/X509Data", we will ignore it then using local  pre-config
>>>>> certificate to verify it and we assume SP totally trust this
>>>>> certificate.  So also we won't use CA certificate to verify  the
>>>>> pre-config certificate's legitimacy.
>>>>>
>>>>> I dig into code then find:
>>>>>
>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>>>     /* todo: throw an error if key is set and node != NULL? */
>>>>>     if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr
>>>>> != NULL)
>>>>>                         && (dsigCtx->keyInfoReadCtx.keysMngr->getKey
>>>>> !=
>>>>> NULL)) {
>>>>>         dsigCtx->signKey =
>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>>>> &(dsigCtx->keyInfoReadCtx));
>>>>>     }
>>>>>
>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get
>>>>> private
>>>>> key from IDP). How can I meet this requirement by xmlsec?
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jeffrey
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
>>>
> 


More information about the xmlsec mailing list