[xmlsec] How to ignore KeyInfo/X509Data in response

Jeffrey Jin (jefjin) jefjin at cisco.com
Tue May 21 21:48:47 PDT 2013


No, just public key in cert.



On 5/22/13 12:45 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:

>Private key in cert/cicert.pem file? Really?
>
>Aleksey
>
>On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote:
>> Aleksey,
>> 
>> The cert in cert/ folder but I got the error as bellows:
>> 
>> [jabber at localhost xmlsec-demo]$ ./verify1 example/sample-res.xml
>> cert/cicert.pem 
>> 
>>func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PEM_
>>re
>> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library
>>function
>> failed: 
>> 
>>func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSecO
>>pe
>> nSSLAppKeyLoadBIO:error=1:xmlsec library function
>> failed:filename=cert/cicert.pem;errno=0
>> Error: failed to load public pem key from "cert/cicert.pem"
>> 
>> -Jeffrey
>> 
>> 
>> 
>> On 5/22/13 12:17 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>> 
>>> If you set the key in xmldsigctx then it will never get there anyway.
>>>
>>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples
>>> in the xmlsec1 command line tool source code)
>>>
>>> Aleksey
>>>
>>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
>>>> Thanks Aleksey quick response. I will try it.
>>>> I have another question: how to disable certificate validation in
>>>> xmlsec?
>>>>
>>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>
>>>>> If you know the public key in advance then you can set it in
>>>>>xmlDsigCtx
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> We are using XMLSec to handle XML signature and encryption in SAML
>>>>>>1.0
>>>>>> and 2.0 protocols. We are pre-configed the configuration data such
>>>>>>as
>>>>>> IDP certificate using metadata. So even the response include
>>>>>> "KeyInfo/X509Data", we will ignore it then using local  pre-config
>>>>>> certificate to verify it and we assume SP totally trust this
>>>>>> certificate.  So also we won't use CA certificate to verify  the
>>>>>> pre-config certificate's legitimacy.
>>>>>>
>>>>>> I dig into code then find:
>>>>>>
>>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>>>>     /* todo: throw an error if key is set and node != NULL? */
>>>>>>     if((dsigCtx->signKey == NULL) &&
>>>>>>(dsigCtx->keyInfoReadCtx.keysMngr
>>>>>> != NULL)
>>>>>>                         && (dsigCtx->keyInfoReadCtx.keysMngr->getKey
>>>>>> !=
>>>>>> NULL)) {
>>>>>>         dsigCtx->signKey =
>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>>>>> &(dsigCtx->keyInfoReadCtx));
>>>>>>     }
>>>>>>
>>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get
>>>>>> private
>>>>>> key from IDP). How can I meet this requirement by xmlsec?
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jeffrey
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>>
>> 



More information about the xmlsec mailing list