Sure... <div><br></div><div>Not entirely sure on the exact syntax to use. This is what we got:</div><div><br></div><div><div>openssl pkcs12 -info -in keysncerts/usercert.p12 </div><div><br></div><div>Enter Import Password:</div>
<div>MAC Iteration 2048</div><div>MAC verified OK</div><div>PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048</div><div>Certificate bag</div><div>Bag Attributes</div><div> localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7 82 8C </div>
<div>subject=/C=CL/ST=RM/O=littlecryptographer/CN=John Smith/emailAddress=<a href="mailto:jsmith@hello.com" target="_blank">jsmith@hello.com</a></div><div>issuer=/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe Camacho/emailAddress=<a href="mailto:lostilos@free.fr" target="_blank">lostilos@free.fr</a></div>
<div>-----BEGIN CERTIFICATE-----</div><div>MIIC6DCCAlGgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwgYcxCzAJBgNVBAYTAkNM</div><div>MQswCQYDVQQIEwJSTTERMA8GA1UEBxMIU2FudGlhZ28xHDAaBgNVBAoTE2xpdHRs</div><div>ZWNyeXB0b2dyYXBoZXIxGTAXBgNVBAMTEFBoaWxpcHBlIENhbWFjaG8xHzAdBgkq</div>
<div>hkiG9w0BCQEWEGxvc3RpbG9zQGZyZWUuZnIwHhcNMDgwMTE5MTI1MjM3WhcNMDkw</div><div>MTE4MTI1MjM3WjBuMQswCQYDVQQGEwJDTDELMAkGA1UECBMCUk0xHDAaBgNVBAoT</div><div>E2xpdHRsZWNyeXB0b2dyYXBoZXIxEzARBgNVBAMTCkpvaG4gU21pdGgxHzAdBgkq</div>
<div>hkiG9w0BCQEWEGpzbWl0aEBoZWxsby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A</div><div>MIGJAoGBALwShIDVij20XFC8V3Bs8Xn6b3uRa8rnPgkMCc92LoxNc/IzCriw9gu9</div><div>NGps/bwanWgZbK5va46Y27axFhHo2uNk9ZE2lj0UQegFdBGlEIOt9hlpHFSqTnmX</div>
<div>AKraSHd2yxhVe+JqGIrtyTQluWVNPOCKXd8zubFgWqlUMXMrn8JzAgMBAAGjezB5</div><div>MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl</div><div>cnRpZmljYXRlMB0GA1UdDgQWBBQ08GE4h2jHJZOGkDUyQE9EEPMqlDAfBgNVHSME</div>
<div>GDAWgBT+y1YLKOsq6cec6uU61UxVhNvUajANBgkqhkiG9w0BAQUFAAOBgQAVZMDa</div><div>KVhvX2qOMlcjX7i6DESF7SDyEbjfPk+bYIDm+al45lmzixkFeYUUQcFJMG0s152A</div><div>kFd/fTVMfz/j37OQYxUYwwZQlMW3dVnC+CvjtMlSrReeHThhQFQpO16i21aDitON</div>
<div>1TFsvO8T+21YGB4kne44vry6O4JJPy8EZBsfbw==</div><div>-----END CERTIFICATE-----</div><div>PKCS7 Data</div><div>Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048</div><div>Bag Attributes</div><div> localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7 82 8C </div>
<div>Key Attributes: <No Attributes></div><div><br></div><div>It then prompts for a password:</div><div><br></div><div>Enter PEM pass phrase:</div><div><div>Verifying - Enter PEM pass phrase:</div><div><br></div><div>
I entered "password" and got this...</div><div><br></div><div>-----BEGIN RSA PRIVATE KEY-----</div><div>Proc-Type: 4,ENCRYPTED</div><div>DEK-Info: DES-EDE3-CBC,058FCED319755EBF</div><div><br></div><div>rlRk7UJFjOmpFIQsb0D4g7nHKuKy5spYUWfOEjM9wBNR97/4lW7nNmNsEGWpg8ZB</div>
<div>PbPY5WDxF2XOO9FLnBWD7SZvBOD7aaKiPX0bfiwutvVotlyvYDgkBJJT1H8wwQbd</div><div>7/yM3pqowc22JpLBiCO2Bs7wHz+xHGZvLW7H6J1VZYvqqFdGoN6jbcyLadZ3U+rn</div><div>HeqsKRpSTqPT7wPr7SQA0SjcV+QW1TtKgozoYdBqXh3YHGzGwpYA1pGZogZZSSE8</div>
<div>6rOPpV0k/3jJE19FI2A39kDZLlDnOfcPu44Qi7e7J+xmN7h+waceXcIqhZY/QDVq</div><div>slfX41/7BjQfxQPeXIJ6gNt3GbP0mJF42Rra6yy2oN3xx7zIBRALmplZIWvI2HTJ</div><div>m6Lb6o1/Ag2C8vGKgxM1dL2EUXFeZVEl/clPWZHJ49arPgAt7UpgAFM1GFdANNkB</div>
<div>O9O87LPJxE+W7hR7otpkr0UVHUOeOBaFd70POTtPf4efdXcAt5+QCRj7EoyRRbIk</div><div>xueW3WUXibAYiDcAyoLRlPj+OaopbdAy99efCM4o0oIHEI9tWN7UGdCVV/8+LZIs</div><div>CEkflcUtSQIe0q8eC+RhfDvjL9MM32znz2vSvqa3s9jhXfedDzAKESv808NQy+mW</div>
<div>LkSumr81qs5pSeT7MU9iqYylyBrRT1rCVHq7ahaJ8Xg5AiwP06bkLuz7GJ6zmcvl</div><div>Qw7PByfHfOE3dpyb2KBg9WwMycud+y+gNKFBQVVCqlEMuU4zguXkpReHWld9F1VX</div><div>/3W3Ts/bBOWJ+c1O0/RGVgb8etWlgz0fme+urXq7zZPjXWVJehrAwA==</div><div>
-----END RSA PRIVATE KEY-----</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><br><div class="gmail_quote">On Thu, Feb 24, 2011 at 8:57 AM, Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#ffffff">
Thanks for update. If you have a second, could you please try to run
openssl pkcs12 command on Mac <br>
to see the content of the <font face="'courier new', monospace">usercert.p12 file?</font><br><font color="#888888">
<br>
Aleksey</font><div><div></div><div><br>
<br>
On 2/23/11 11:54 AM, Nigel Ramsay wrote:
<blockquote type="cite">Hi Aleksey
<div><br>
</div>
<div>As I suggested, I tried it on Ubuntu - and it just worked. </div>
<div><br>
</div>
<div>It must have been a "mac thing". </div>
<div><br>
</div>
<div>I've now gone a repeated the exact same steps on both Ubuntu
10.4 and OSX 10.6 with differing results - the Ubuntu version
produced the required output, while the Mac version did not. </div>
<div><br>
</div>
<div>For those who are interested, these are the simple steps I
followed:</div>
<div><br>
</div>
<div><b>Mac</b></div>
<div><br>
</div>
<div><font face="'courier new',
monospace">port install xmlsec</font></div>
<div><font face="'courier new',
monospace">wget <a href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip" target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip</a></font></div>
<div><font face="'courier new',
monospace">unzip keysncerts.zip</font></div>
<div><font face="'courier new',
monospace">wget <a href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml" target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml</a></font></div>
<div><font face="'courier new',
monospace">xmlsec1 --sign --pkcs12 keysncerts/usercert.p12
--trusted-pem keysncerts/cacert.pem --pwd hello doc-x509.xml</font></div>
<div><br>
</div>
<div><b>Ubuntu</b></div>
<div><br>
</div>
<div><font face="'courier new',
monospace">apt-get install xmlsec1</font></div>
<div>
<div><font face="'courier new',
monospace">wget <a href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip" target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip</a></font></div>
<div><font face="'courier new',
monospace">unzip keysncerts.zip</font></div>
<div><font face="'courier new',
monospace">wget <a href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml" target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml</a></font></div>
<div><font face="'courier new',
monospace">xmlsec1 --sign --pkcs12 keysncerts/usercert.p12
--trusted-pem keysncerts/cacert.pem --pwd hello doc-x509.xml</font></div>
</div>
<div><br>
</div>
<div>
So anyway - thanks Aleksey for a very handy tool. There's
nothing else out there like it. Certainly nothing in "Ruby land"
where we do most of our work. </div>
<div><br>
</div>
<div>Cheers</div>
<div><br>
</div>
<div>
Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Thu, Feb 24, 2011 at 8:33 AM,
Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div text="#000000" bgcolor="#ffffff"> Make sure that you
actually have *both* private key and certificate in the
usercert.p12<br>
<br>
Aleksey
<div>
<div><br>
<br>
On 2/23/11 11:24 AM, Nigel Ramsay wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>
<div class="gmail_quote">Hi
<div><br>
</div>
<div>We are trying to sign an XMl document with an
X509 certificate, but any having problems
getting the X509Data node populated. </div>
<div><br>
</div>
<div>We are following Philippe Camacho's tutorial
here:</div>
<div><a href="http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7" target="_blank">http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7</a><br clear="all">
<br>
</div>
<div>The command that we use is copied from the
tutorial, and we are using the keysncerts.zip
file that contains the appropriate keys and
certificates. </div>
<div><br>
</div>
<div>The command (using v 1.2.16 on Mac OSX 10.6)
is: </div>
<div>xmlsec1 --sign --pkcs12 usercert.p12
--trusted-pem cacert.pem --pwd hello
doc-x509.xml</div>
<div><br>
</div>
<div>The contents of the doc-x509.xml is (the
document we are trying to sign):</div>
<div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div> <FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied
Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a href="http://www.aleksey.com/xmlsec/" target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod Algorithm=</div>
<div> "<a href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod Algorithm=</div>
<div> "<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform Algorithm=</div>
<div> "<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature" target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"
/></div>
<div> </Transforms></div>
<div> <DigestMethod Algorithm=</div>
<div> "<a href="http://www.w3.org/2000/09/xmldsig#sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue></DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div> <SignatureValue /></div>
<div> <KeyInfo></div>
<div> <X509Data ></div>
<div> <X509SubjectName/></div>
<div> <X509IssuerSerial/></div>
<div> <X509Certificate/></div>
<div> </X509Data></div>
<div> <KeyValue /></div>
<div> </KeyInfo></div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>We get this output from running the command:</div>
<div><br>
</div>
<div>
<div><?xml version="1.0"?></div>
<div><References></div>
<div> <Book></div>
<div> <Author></div>
<div>
<FirstName>Bruce</FirstName></div>
<div>
<LastName>Schneier</LastName></div>
<div> </Author></div>
<div> <Title>Applied
Cryptography</Title></div>
<div> </Book></div>
<div> <Web></div>
<div> <Title>XMLSec</Title></div>
<div> <Url><a href="http://www.aleksey.com/xmlsec/" target="_blank">http://www.aleksey.com/xmlsec/</a></Url></div>
<div> </Web></div>
<div> <Signature xmlns="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div>
<div> <SignedInfo></div>
<div> <CanonicalizationMethod
Algorithm="<a href="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" target="_blank">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</a>"/></div>
<div> <SignatureMethod
Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>"/></div>
<div> <Reference URI=""></div>
<div> <Transforms></div>
<div> <Transform
Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature" target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"/></div>
<div> </Transforms></div>
<div> <DigestMethod
Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#sha1</a>"/></div>
<div>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue></div>
<div> </Reference></div>
<div> </SignedInfo></div>
<div>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS</div>
<div>lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2</div>
<div>twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue></div>
<div> </div>
<div> <KeyInfo></div>
<div> <X509Data></div>
<div> </div>
<div> </div>
<div> </div>
<div> </X509Data></div>
<div> <KeyValue></div>
<div><RSAKeyValue></div>
<div><Modulus></div>
<div>vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd</div>
<div>aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL</div>
<div>GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=</div>
<div></Modulus></div>
<div><Exponent></div>
<div>AQAB</div>
<div></Exponent></div>
<div></RSAKeyValue></div>
<div></KeyValue></div>
<div> </KeyInfo></div>
<div> </div>
<div> </Signature></div>
<div></References></div>
</div>
<div><br>
</div>
<div>As you can see, the X509Data node is blank. </div>
<div><br>
</div>
<div>We have tried including the --print-xml-debug
option, and this shows a number of fields,
including:</div>
<div><br>
</div>
<div>
<div><X509Data></div>
<div><KeyCertificate></div>
<div><SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/emailAddress=<a href="mailto:jsmith@hello.com" target="_blank">jsmith@hello.com</a></SubjectName></div>
<div><IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=<a href="mailto:lostilos@free.fr" target="_blank">lostilos@free.fr</a></IssuerName></div>
<div><SerialNumber>11E</SerialNumber></div>
<div></KeyCertificate></div>
<div></X509Data></div>
</div>
<div><br>
</div>
<div>We have also tried these commands with our
own generated keys, and different XML files too.
We get the same result each time. </div>
<div> <br>
</div>
<div>I have searched this mailing list, and note
that Braja Biswal had a similar problem:</div>
<div><a href="http://www.aleksey.com/pipermail/xmlsec/2009/008672.html" target="_blank">http://www.aleksey.com/pipermail/xmlsec/2009/008672.html</a></div>
<div><br>
</div>
<div>We would really appreciate any help, as we
seem to be out of ideas. Our last idea is to try
the same approach using Ubuntu - perhaps this is
"a Mac thing". We used MacPorts to install
Xmlsec.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Nigel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a href="http://www.abletech.co.nz" target="_blank">http://www.abletech.co.nz</a><br>
<a href="http://nigel.ramsay.org.nz" target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
xmlsec mailing list
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Nigel Ramsay<br>
Principal Consultant<br>
Able Technology<br>
<br>
<div>04 910 3100<br>
021 323 990
<div><a href="http://www.abletech.co.nz" target="_blank">http://www.abletech.co.nz</a><br>
<a href="http://nigel.ramsay.org.nz" target="_blank">http://nigel.ramsay.org.nz</a></div>
</div>
<br>
</div>
</blockquote>
</div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Nigel Ramsay<br>Principal Consultant<br>Able Technology<br><br><div>04 910 3100<br>021 323 990<div><a href="http://www.abletech.co.nz" target="_blank">http://www.abletech.co.nz</a><br>
<a href="http://nigel.ramsay.org.nz" target="_blank">http://nigel.ramsay.org.nz</a></div></div><br>
</div>