[xmlsec] Re: x509, again
Aleksey Sanin
aleksey at aleksey.com
Mon Apr 22 08:52:36 PDT 2002
Hi, Vlad!
I thought you've asked how to check the signature signed
with x509 certificates, not how to create one. Give me one more
shot, please :)
If you want to sign a message using a private key and put
the public key into <X509Data> then you should do following:
1) create private/public key pair and create x509 certificate
from public key
2) load the private key in XML Security Library as usual
(for example, you can use xmlSecSimpleKeyMngrLoadPrivateKey())
3) load certificates verifying the key and assign it to key
xmlSecSimpleKeyMngrAddCertToKey()
4) put <X509Data> in the digest template
The recent version of XML Sec Library has an "xmlsec" application
(apps/ folder). Take a look at the readPemKey() function. It does
steps 2) and 3) from above.
Let me know if you'll still have any questions.
With best regards,
Aleksey.
BTW, I've created a mailing list for xmlsec library
http://www.aleksey.com/pipermail/xmlsec/2002/thread.html
and I've copied my reply to this list. I would prefer to continue
discussion in this list.
Vlad Vetiul wrote:
>Hi!
>
>I wrote a week ago to you about x509 certificates in xml.
>I used x509 manager's new functions as you suggested, but nothing changed, the <x509Data> tag remained empty in resulting document.
>Since I have neither enough time nor enough skills in cryptography to dig in xmlsec's source, I asked if you can give more detailed example of filling <x509Data>.
>After all, samples with x509 certificates placed in "tests" folder were generated somehow.
>I will be gratefull for source code these samples were produced by.
>
>Or maybe you'll look at this code (modified dsig2) to say what's missing or wrong:
>
>...
>
> /**
> * Create Keys managers
> */
> keyMgr = xmlSecSimpleKeyMngrCreate();
> if(keyMgr == NULL) {
> fprintf(stderr, "Error: failed to create keys manager\n");
> goto done;
> }
>
> /* HMAC */
> key = xmlSecKeyCreate(xmlSecHmacKey, xmlSecKeyOriginDefault);
> if(key == NULL) {
> fprintf(stderr, "Error: failed to create hmac key\n");
> goto done;
> }
> ret = xmlSecHmacKeyGenerate(key, (unsigned char*)"secret", 6);
> if(ret < 0) {
> xmlSecKeyDestroy(key, 1);
> fprintf(stderr, "Error: failed to set hmac key params\n");
> goto done;
> }
>
> ret = xmlSecSimpleKeyMngrAddKey(keyMgr, key);
> if(ret < 0) {
> xmlSecKeyDestroy(key, 1);
> fprintf(stdout, "Error: failed to add hmac key\n");
> goto done;
> }
>
> x509Mngr = xmlSecSimpleX509MngrCreate();
> if(x509Mngr == NULL) {
> fprintf(stderr, "Error: failed to create x509 manager\n");
> return(-1);
> }
>
> ret = xmlSecSimpleX509MngrAddTrustedCert(x509Mngr, "test.cert.pem");
> if(ret < 0)
> {
> fprintf(stdout, "Error: failed to read test.cert.pem");
> goto done;
> }
>
>
> /**
> * load key
> */
> if(xmlSecSimpleKeyMngrLoadPrivateKey(keyMgr, argv[1], NULL, NULL) == NULL) {
> fprintf(stderr, "Error: failed to load key from \"%s\"\n", argv[1]);
> goto done;
> }
>
> /**
> * Create Signature Context
> */
> memset(&keysReadCtx, 0, sizeof(keysReadCtx));
>
> keysReadCtx.allowedOrigins = xmlSecKeyOriginAll;
> keysReadCtx.findKeyCallback = xmlSecSimpleKeyMngrFindKey;
> keysReadCtx.findKeyContext = keyMgr;
> keysReadCtx.x509.context = x509Mngr;
> keysReadCtx.x509.verifyCallback = (xmlSecX509VerifyCallback)xmlSecSimpleX509MngrVerify;
> keysReadCtx.x509.addCRLCallback = (xmlSecX509AddCRLCallback)xmlSecSimpleX509MngrAddCRL;
>
> dsigCtx = xmlDSigCtxCreate(&keysReadCtx);
> if(dsigCtx == NULL) {
> fprintf(stderr,"Error: failed to create dsig context\n");
> goto done;
> }
>
> /*
> * build an XML tree from a the file; we need to add default
> * attributes and resolve all character and entities references
> */
> xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
> xmlSubstituteEntitiesDefault(1);
>
> /**
> * Load doc
> */
> doc = xmlParseFile(argv[2]);
> if (doc == NULL) {
> fprintf(stderr, "Error : unable to parse file \"%s\"\n", argv[2]);
> goto done;
> }
>
> /*
> * Check the document is of the right kind
> */
> if(xmlDocGetRootElement(doc) == NULL) {
> fprintf(stderr,"Error: empty document for file \"%s\"\n", argv[2]);
> goto done;
> }
>
> /**
> * Create Signature node
> */
> signatureNode = xmlDSigSignatureNodeCreate(doc, NULL,
> xmlSecC14NInclusive, NULL,
> xmlSecSignDsaSha1, NULL);
> if(signatureNode == NULL) {
> fprintf(stderr,"Error: failed to create signature\n");
> goto done;
> }
>
> /**
> * Add the signature to the end of the document
> */
> if(xmlAddChild(xmlDocGetRootElement(doc), signatureNode) == NULL) {
> fprintf(stderr,"Error: failed to add Signature\n");
> goto done;
> }
>
> /**
> * Create Reference node
> */
> referenceNode = xmlDSigReferenceNodeCreate(signatureNode,
> "reference-1",
> "#xpointer(id('Data'))",
> NULL,
> xmlSecDigestSha1, NULL);
> if(referenceNode == NULL) {
> fprintf(stderr,"Error: failed to add Reference\n");
> goto done;
> }
>
> /**
> * Add C14N with comments to keep comments in the doc
> */
> cur = xmlDSigTransformNodeCreate(referenceNode,
> xmlSecC14NExclusiveWithComments,
> NULL);
> if(cur == NULL) {
> fprintf(stderr,"Error: failed to add c14n transform\n");
> goto done;
> }
>
>
> /**
> * Add KeyInfo node
> */
> keyInfoNode = xmlDSigKeyInfoNodeCreate(signatureNode, NULL,
> xmlSecKeyOriginX509);
> if(keyInfoNode == NULL) {
> fprintf(stderr,"Error: failed to add KeyInfo\n");
> goto done;
> }
>
> /**
> * Sign It!
> */
> ret = xmlDSigGenerate(dsigCtx, xmlDocGetRootElement(doc), &signature);
> if(ret < 0) {
> fprintf(stderr,"Error: signature failed\n");
> goto done;
> }
>
>...
>
>
>Kind regards.
>
>
>Vlad Vetiul,
>Senior Software Engineer,
>IT Department, National Bank of Moldova
>
More information about the xmlsec
mailing list