[xmlsec] How to ignore KeyInfo/X509Data in response

Jeffrey Jin (jefjin) jefjin at cisco.com
Tue May 21 21:51:21 PDT 2013 

The content in cicert.pem:

[jabber at localhost xmlsec-demo]$ openssl x509 -noout -text -in
cert/cicert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=JiangSu, L=SuZhou, O=CISCO, OU=CISCO,
CN=xcp/emailAddress=jefjin at cisco.com
        Validity
            Not Before: May 20 05:03:34 2013 GMT
            Not After : May 20 05:03:34 2014 GMT
        Subject: C=CN, ST=JiangSu, O=CISCO, OU=WEBEX,
CN=xcp-suzhou/emailAddress=jeffreyj at sz.webex.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c4:12:28:d5:0a:89:2d:d1:ab:e9:3b:19:73:97:
                    78:39:f9:d7:55:a2:ff:a2:5b:cd:6e:76:d5:68:23:
                    20:59:c9:1d:c8:36:2c:84:a3:e6:f2:a5:31:51:b4:
                    25:ea:8b:8f:53:82:98:d0:c1:4c:18:84:fa:20:79:
                    0b:d8:0b:88:4d:62:9c:ae:47:48:66:41:a3:09:70:
                    8e:04:24:ee:40:a2:c8:d6:4a:ac:c1:cf:ed:c2:64:
                    2b:23:6f:99:d4:9d:b6:3a:f8:de:91:62:c9:87:aa:
                    10:c2:14:54:30:21:ae:ee:39:72:34:74:aa:09:c4:
                    dc:e9:df:43:aa:bf:d3:6e:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                10:43:DE:6C:CF:B5:20:C7:6D:2B:8B:AC:0C:F9:AB:62:F5:E9:82:4E
            X509v3 Authority Key Identifier:
                
keyid:56:75:33:F2:CA:91:07:6E:3F:F3:77:B9:ED:75:10:AA:48:0B:02:9B

    Signature Algorithm: sha1WithRSAEncryption
        66:b1:d6:a4:4f:20:01:a7:6c:04:fd:19:19:b0:ae:40:57:32:
        9c:52:fb:80:85:4b:e9:91:3b:29:2f:f5:34:c7:d4:8e:c3:75:
        bd:f3:0e:1a:13:3a:ed:d5:42:b9:23:e6:e1:71:6d:3a:80:02:
        aa:93:eb:2e:49:65:68:41:cc:6d:b5:20:fe:c7:45:7d:7a:ae:
        c0:bd:59:84:fb:a9:8c:21:b0:91:7d:03:b0:39:db:40:ad:3f:
        e0:d2:e3:4c:24:62:c9:22:d5:67:63:00:06:de:07:79:e3:13:
        cb:de:9b:b9:d3:2a:17:e1:17:88:f5:9d:24:06:ad:60:d1:93:
        b6:3b
[jabber at localhost xmlsec-demo]$




On 5/22/13 12:48 PM, "Jeffrey Jin (jefjin)" <jefjin at cisco.com> wrote:

>No, just public key in cert.
>
>
>
>On 5/22/13 12:45 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>
>>Private key in cert/cicert.pem file? Really?
>>
>>Aleksey
>>
>>On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote:
>>> Aleksey,
>>> 
>>> The cert in cert/ folder but I got the error as bellows:
>>> 
>>> [jabber at localhost xmlsec-demo]$ ./verify1 example/sample-res.xml
>>> cert/cicert.pem
>>> 
>>>func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PEM
>>>_
>>>re
>>> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library
>>>function
>>> failed: 
>>> 
>>>func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSec
>>>O
>>>pe
>>> nSSLAppKeyLoadBIO:error=1:xmlsec library function
>>> failed:filename=cert/cicert.pem;errno=0
>>> Error: failed to load public pem key from "cert/cicert.pem"
>>> 
>>> -Jeffrey
>>> 
>>> 
>>> 
>>> On 5/22/13 12:17 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>> 
>>>> If you set the key in xmldsigctx then it will never get there anyway.
>>>>
>>>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are
>>>>examples
>>>> in the xmlsec1 command line tool source code)
>>>>
>>>> Aleksey
>>>>
>>>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
>>>>> Thanks Aleksey quick response. I will try it.
>>>>> I have another question: how to disable certificate validation in
>>>>> xmlsec?
>>>>>
>>>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>
>>>>>> If you know the public key in advance then you can set it in
>>>>>>xmlDsigCtx
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We are using XMLSec to handle XML signature and encryption in SAML
>>>>>>>1.0
>>>>>>> and 2.0 protocols. We are pre-configed the configuration data such
>>>>>>>as
>>>>>>> IDP certificate using metadata. So even the response include
>>>>>>> "KeyInfo/X509Data", we will ignore it then using local  pre-config
>>>>>>> certificate to verify it and we assume SP totally trust this
>>>>>>> certificate.  So also we won't use CA certificate to verify  the
>>>>>>> pre-config certificate's legitimacy.
>>>>>>>
>>>>>>> I dig into code then find:
>>>>>>>
>>>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>>>>>     /* todo: throw an error if key is set and node != NULL? */
>>>>>>>     if((dsigCtx->signKey == NULL) &&
>>>>>>>(dsigCtx->keyInfoReadCtx.keysMngr
>>>>>>> != NULL)
>>>>>>>                         &&
>>>>>>>(dsigCtx->keyInfoReadCtx.keysMngr->getKey
>>>>>>> !=
>>>>>>> NULL)) {
>>>>>>>         dsigCtx->signKey =
>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>>>>>> &(dsigCtx->keyInfoReadCtx));
>>>>>>>     }
>>>>>>>
>>>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get
>>>>>>> private
>>>>>>> key from IDP). How can I meet this requirement by xmlsec?
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Jeffrey
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>>
>>> 
>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list