Here&#39;s the xml (with signature), it&#39;s a modified SAML token:<br><br>&lt;?xml version=&quot;1.0&quot;?&gt;<br>&lt;saml:Assertion xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot; AssertionID=&quot;SecurityToken-d3aaac64-7f2d-4250-be09-176bcbcdb41f&quot; ID=&quot;SecurityToken-d3aaac64-7f2d-4250-be09-176bcbcdb41f&quot; MajorVersion=&quot;1&quot; MinorVersion=&quot;1&quot; Issuer=&quot;
<a href="http://thomson.com">thomson.com</a>&quot; IssueInstant=&quot;2007-09-18T04:44:42Z&quot;&gt;&lt;saml:Conditions NotBefore=&quot;2007-09-18T04:44:42Z&quot; NotOnOrAfter=&quot;2007-09-18T04:54:42Z&quot;/&gt;&lt;saml:AuthenticationStatement AuthenticationMethod=&quot;urn:oasis:names:tc:SAML:
1.0:am:password&quot; AuthenticationInstant=&quot;2007-09-18T04:44:42Z&quot;&gt;&lt;saml:Subject&gt;&lt;saml:NameIdentifier Format=&quot;<a href="http://security.schemas.tfn.thomson.com/Principal/2007-01-25/#SubId">http://security.schemas.tfn.thomson.com/Principal/2007-01-25/#SubId
</a>&quot;&gt;1234&lt;/saml:NameIdentifier&gt;&lt;saml:SubjectConfirmation&gt;&lt;saml:ConfirmationMethod&gt;urn:oasis:names:tc:SAML:1.0:cm:sender-vouches&lt;/saml:ConfirmationMethod&gt;&lt;/saml:SubjectConfirmation&gt;&lt;/saml:Subject&gt;&lt;/saml:AuthenticationStatement&gt;&lt;saml:AttributeStatement/&gt;&lt;Signature xmlns=&quot;
<a href="http://www.w3.org/2000/09/xmldsig#">http://www.w3.org/2000/09/xmldsig#</a>&quot;&gt;&lt;SignedInfo&gt;&lt;CanonicalizationMethod Algorithm=&quot;<a href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#
</a>&quot;/&gt;&lt;SignatureMethod Algorithm=&quot;<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>&quot;/&gt;&lt;Reference&gt;&lt;Transforms&gt;&lt;Transform Algorithm=&quot;
<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>&quot;/&gt;&lt;/Transforms&gt;&lt;DigestMethod Algorithm=&quot;<a href="http://www.w3.org/2000/09/xmldsig#sha1">
http://www.w3.org/2000/09/xmldsig#sha1</a>&quot;/&gt;&lt;DigestValue&gt;zZJ8tOVaDO3PogS6SLWbk3D27g4=&lt;/DigestValue&gt;&lt;/Reference&gt;&lt;/SignedInfo&gt;&lt;SignatureValue&gt;k9AxevEOzbZXCGCl141KzIEv2guu6b2d5i6dYcWL3lvWb5oje0ufkDCJ8vyanO84
<br>cTMOgCcKpJtzx8qFD/sL6ptnMKisQD103NUgnSefzAzgnDLm6Vc8U5UvDkQvecx6<br>fyxVZCXpIiR7Z8QuMbVgGQ/jvJ4F3IRYMPhnlF8Sbfk=&lt;/SignatureValue&gt;&lt;KeyInfo&gt;&lt;X509Data&gt;<br>&lt;X509Certificate&gt;MIIDCzCCAnSgAwIBAgIDB0LYMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
<br>MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0<br>aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcwNDEzMTY0MzU0WhcNMDkwNDEzMTY0MzU0<br>WjCBlTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhO<br>ZXcgWW9yazEcMBoGA1UEChMTVGhvbXNvbiBDb3Jwb3JhdGlvbjEaMBgGA1UECxMR
<br>VGhvbXNvbiBGaW5hbmNpYWwxJjAkBgNVBAMTHXNlY3VyaXR5LWRldi5zZXJ2aWNl<br>cy50Zm4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3pO898aOmbK1/<br>+quYg9QzPlSF85JdZQSAjAWbWPe4Tv6CraxGxSUPakImrbtjJuR4b4G0oWBGJ42P<br>yYOsKT/FcSXcpm7HgfoIE7inVMtHxlukpAqpkPyTmpvfpOG9Psczvj9bFB/upkyq
<br>IjOBFupNtgeLNJZo4waYWiswFeq+QQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE<br>8DAdBgNVHQ4EFgQUvj3lMAx/8CNxDh/pVq62Nj10E9QwOgYDVR0fBDMwMTAvoC2g<br>K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYD<br>VR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUH
<br>AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAAQ/bvOU5DiOvYimTEYkxqHO<br>ZC1ylXTMFs6xDzcDZ0rf0AxD4IzPUbXKHdb16JJ5p/MET9K7TcFr6CKBQh9ANUAS<br>Q+eaw0BzhGgoxV8+IxVheRx34V1Vf+v6jA8xPa3d8fEbH2jFLZ/MPVPSGRFzD0fa<br>5ieETYx60WhVp1kT3G7R&lt;/X509Certificate&gt;
<br>&lt;/X509Data&gt;&lt;/KeyInfo&gt;&lt;/Signature&gt;&lt;/saml:Assertion&gt;<br><br><br><br><div class="gmail_quote">On Dec 4, 2007 2:03 AM, Aleksey Sanin &lt;<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>
&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">xmlSecOpenSSLAppKeyLoadMemory() ???<br><br>Aleksey<br><div><div></div><div class="Wj3C7c">
<br>Jim Nutt wrote:<br>&gt; Ok, I&#39;m pulling my hair out on this one. I&#39;m trying to verify an xml<br>&gt; signature based on the x509 certificate embedded in the keyinfo and I<br>&gt; can not get it to work. If I verify using the same pem file I used for
<br>&gt; signing, it verifies ok, so I know the signature is valid. The problem<br>&gt; is getting it to validate without going to the original pem file. I&#39;ve<br>&gt; tried the straight forward method of letting xmlSecDSigVerify load the
<br>&gt; key, but it can&#39;t find the key in signature. I&#39;ve even tried writing the<br>&gt; base64 data to a file (bracketed with -----BEGIN CERTIFICATE----- and<br>&gt; -----END CERTIFICATE-----) and then loading that file as the
<br>&gt; certificate. It refuses to read the file. And yes, I know the file is a<br>&gt; valid pem file because openssl x509 -in filename -text reads it just fine.<br>&gt;<br>&gt; Any suggestions would be greatly appreciated, as I&#39;m on a time crunch on
<br>&gt; this (now... wasn&#39;t when I started... *sigh*)<br>&gt;<br>&gt; --<br>&gt; Jim Nutt<br></div></div>&gt; <a href="http://jim.nuttz.org" target="_blank">http://jim.nuttz.org</a> &lt;<a href="http://jim.nuttz.org" target="_blank">
http://jim.nuttz.org</a>&gt;<br>&gt;<br>&gt;<br>&gt; ------------------------------------------------------------------------<br>&gt;<br>&gt; _______________________________________________<br>&gt; xmlsec mailing list<br>
&gt; <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a><br>&gt; <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br></blockquote></div><br>
<br clear="all"><br>-- <br>Jim Nutt<br><a href="http://jim.nuttz.org">http://jim.nuttz.org</a>