[xmlsec] How to ignore KeyInfo/X509Data in response
Aleksey Sanin
aleksey at aleksey.com
Tue May 21 21:52:06 PDT 2013
cert pem format != public key pem format
Aleksey
On 5/21/13 9:48 PM, Jeffrey Jin (jefjin) wrote:
> No, just public key in cert.
>
>
>
> On 5/22/13 12:45 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>
>> Private key in cert/cicert.pem file? Really?
>>
>> Aleksey
>>
>> On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote:
>>> Aleksey,
>>>
>>> The cert in cert/ folder but I got the error as bellows:
>>>
>>> [jabber at localhost xmlsec-demo]$ ./verify1 example/sample-res.xml
>>> cert/cicert.pem
>>>
>>> func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PEM_
>>> re
>>> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library
>>> function
>>> failed:
>>>
>>> func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSecO
>>> pe
>>> nSSLAppKeyLoadBIO:error=1:xmlsec library function
>>> failed:filename=cert/cicert.pem;errno=0
>>> Error: failed to load public pem key from "cert/cicert.pem"
>>>
>>> -Jeffrey
>>>
>>>
>>>
>>> On 5/22/13 12:17 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>
>>>> If you set the key in xmldsigctx then it will never get there anyway.
>>>>
>>>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples
>>>> in the xmlsec1 command line tool source code)
>>>>
>>>> Aleksey
>>>>
>>>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
>>>>> Thanks Aleksey quick response. I will try it.
>>>>> I have another question: how to disable certificate validation in
>>>>> xmlsec?
>>>>>
>>>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>
>>>>>> If you know the public key in advance then you can set it in
>>>>>> xmlDsigCtx
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We are using XMLSec to handle XML signature and encryption in SAML
>>>>>>> 1.0
>>>>>>> and 2.0 protocols. We are pre-configed the configuration data such
>>>>>>> as
>>>>>>> IDP certificate using metadata. So even the response include
>>>>>>> "KeyInfo/X509Data", we will ignore it then using local pre-config
>>>>>>> certificate to verify it and we assume SP totally trust this
>>>>>>> certificate. So also we won't use CA certificate to verify the
>>>>>>> pre-config certificate's legitimacy.
>>>>>>>
>>>>>>> I dig into code then find:
>>>>>>>
>>>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>>>>> /* todo: throw an error if key is set and node != NULL? */
>>>>>>> if((dsigCtx->signKey == NULL) &&
>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr
>>>>>>> != NULL)
>>>>>>> && (dsigCtx->keyInfoReadCtx.keysMngr->getKey
>>>>>>> !=
>>>>>>> NULL)) {
>>>>>>> dsigCtx->signKey =
>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>>>>>> &(dsigCtx->keyInfoReadCtx));
>>>>>>> }
>>>>>>>
>>>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get
>>>>>>> private
>>>>>>> key from IDP). How can I meet this requirement by xmlsec?
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Jeffrey
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>>
>>>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list