[xmlsec] Signing with X509 certificate using mscrypto provider

Jirka Kosek jirka at kosek.cz
Tue Apr 20 15:23:55 PDT 2010 

Aleksey Sanin wrote:
> Sorry, I am not very familiar with mscrypto...

I think that it is better to not be familiar with any MS crypto stuff ;-)

But anyway, is there any list specific for xmlsec and mscrypto? I
haven't found many information specific to usage of xmlsec with MS
crypto providers.

> Could you please try to put the certificate subject into
> "KeyName" element? I recall xmlsec-mscrypto is using it
> to search for certificate/private key pair. Also I believe
> there is a notion of "friendly name" that is also can be
> used as "KeyName" to refer to the key.

Thanks for the tip. I investigated it little bit and in general both
ways you suggested work. The only glitch is that this doesn't work if I
use non-ASCII characters in name. This is problem because certificates
here in Czech usually contain first and last name inside certificate
subject and there are almost always some characters with accents.

So it seems that there is a bug related to processing non-ASCII
characters. Also if I ask for certificate subject and issuer in a
signature template and these fields contain non-ASCII characters, I get
the following error from xmlsec:

output error : invalid character value
output error : string is not in UTF-8

Should I record this in the Bugzilla or is it sufficient to report it here?

As a workaround I have tried to escape accented characters, i.e. use:

serialNumber=P111870,CN=Ing. Ji\C5\99\C3\AD Kosek,OU=1,O=Ing.
Ji\C5\99\C3\AD Kosek [I\C4\8C 71612998],C=CZ

instead of

SERIALNUMBER=P111870,CN=Ing. Jiří Kosek,OU=1,O=Ing. Jiří Kosek [IČ
71612998],C=CZ

I don't know whether this escaping is syntactically correct from X.509
point of view, but I have seen it in output of message signed with
openssl provider. Anyway this has not been working.

But working solution is to set "friendly name" to use non-ASCII
characters. This is a small burden to user, but it works for now. Many
thanks for this tip.

				Jirka

-- 
------------------------------------------------------------------
  Jirka Kosek      e-mail: jirka at kosek.cz      http://xmlguru.cz
------------------------------------------------------------------
       Professional XML consulting and training services
  DocBook customization, custom XSLT/XSL-FO document processing
------------------------------------------------------------------
 OASIS DocBook TC member, W3C Invited Expert, ISO JTC1/SC34 member
------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20100421/372a2c93/attachment.pgp>

More information about the xmlsec mailing list