[xmlsec] How to ignore KeyInfo/X509Data in response

Jeffrey Jin (jefjin) jefjin at cisco.com
Tue May 21 21:59:16 PDT 2013


It works. 
Thanks again.

On 5/22/13 12:52 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:

>cert pem format != public key pem format
>
>Aleksey
>
>On 5/21/13 9:48 PM, Jeffrey Jin (jefjin) wrote:
>> No, just public key in cert.
>> 
>> 
>> 
>> On 5/22/13 12:45 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>> 
>>> Private key in cert/cicert.pem file? Really?
>>>
>>> Aleksey
>>>
>>> On 5/21/13 9:41 PM, Jeffrey Jin (jefjin) wrote:
>>>> Aleksey,
>>>>
>>>> The cert in cert/ folder but I got the error as bellows:
>>>>
>>>> [jabber at localhost xmlsec-demo]$ ./verify1 example/sample-res.xml
>>>> cert/cicert.pem
>>>>
>>>> 
>>>>func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PE
>>>>M_
>>>> re
>>>> ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library
>>>> function
>>>> failed: 
>>>>
>>>> 
>>>>func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSe
>>>>cO
>>>> pe
>>>> nSSLAppKeyLoadBIO:error=1:xmlsec library function
>>>> failed:filename=cert/cicert.pem;errno=0
>>>> Error: failed to load public pem key from "cert/cicert.pem"
>>>>
>>>> -Jeffrey
>>>>
>>>>
>>>>
>>>> On 5/22/13 12:17 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>
>>>>> If you set the key in xmldsigctx then it will never get there anyway.
>>>>>
>>>>> Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are
>>>>>examples
>>>>> in the xmlsec1 command line tool source code)
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
>>>>>> Thanks Aleksey quick response. I will try it.
>>>>>> I have another question: how to disable certificate validation in
>>>>>> xmlsec?
>>>>>>
>>>>>> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>>>>>>
>>>>>>> If you know the public key in advance then you can set it in
>>>>>>> xmlDsigCtx
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> We are using XMLSec to handle XML signature and encryption in SAML
>>>>>>>> 1.0
>>>>>>>> and 2.0 protocols. We are pre-configed the configuration data such
>>>>>>>> as
>>>>>>>> IDP certificate using metadata. So even the response include
>>>>>>>> "KeyInfo/X509Data", we will ignore it then using local  pre-config
>>>>>>>> certificate to verify it and we assume SP totally trust this
>>>>>>>> certificate.  So also we won't use CA certificate to verify  the
>>>>>>>> pre-config certificate's legitimacy.
>>>>>>>>
>>>>>>>> I dig into code then find:
>>>>>>>>
>>>>>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>>>>>>     /* todo: throw an error if key is set and node != NULL? */
>>>>>>>>     if((dsigCtx->signKey == NULL) &&
>>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr
>>>>>>>> != NULL)
>>>>>>>>                         &&
>>>>>>>>(dsigCtx->keyInfoReadCtx.keysMngr->getKey
>>>>>>>> !=
>>>>>>>> NULL)) {
>>>>>>>>         dsigCtx->signKey =
>>>>>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>>>>>>> &(dsigCtx->keyInfoReadCtx));
>>>>>>>>     }
>>>>>>>>
>>>>>>>> Does it means I need to set dsigCtx->signKey? And what's meaning
>>>>>>>>of
>>>>>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get
>>>>>>>> private
>>>>>>>> key from IDP). How can I meet this requirement by xmlsec?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Jeffrey
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> xmlsec mailing list
>>>>>>>> xmlsec at aleksey.com
>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>
>>>>>>
>>>>
>> 
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>> 



More information about the xmlsec mailing list