[xmlsec] Problem with xmlSecSimpleKeysMngrLoadPemCert

Tue Sep 3 12:56:46 PDT 2002

Ok, let me give some more detail.

The goal is to run an application, providing it with an XML file that is
signed with a DSA private key.  The application should validate the
signature using the DSA public key stored in a separate file on the
local workstation.

The creation and signing of the XML file appears to work fine.  I do not
embed the key in the XML file itself.

The verification application should load the DSA public key into the key
list, then validate the XML document signature with the DSA public key. 

I used xmlSecSimpleKeysMngrLoadPemKey to load the public key, providing
NULL for the keyPwd and keyPwdCallback arguments.  It's not returning
any errors, but I am still not sure if the public key is actually being
loaded into the keylist.  

The basic problem seems to be getting the DSA public key from the PEM
encoded file into an xmlSecKeyPtr structure, which I can provide as a
argument to xmlSecDSigValidate().

Thanks,

-Devin

On Tue, 2002-09-03 at 15:04, Aleksey Sanin wrote:
> I am not sure I clear understand what do you mean by "verify an XML file 
> given
> a specific cert". From you XML file you should point to the given key known
> to application or provide the key in the signature (may be in cert).
> And on the application side you need to have this key available or know 
> how to get
> key from the file. For example, in XML file you can include a full cert 
> and application
> should be able to verify cert and extract key.
> XMLSec library extracts the public key from provided cert automatically 
> but the key
> is *not* included in the keys list. You can point to a cert using issuer 
> serial/name,
> subject, SKI and if such cert was loaded with 
> xmlSecSimpleKeysMngrLoadPemKey()
> it will be found and key extracted.
> 
> Aleksey
> 
> 
> Devin Heitmueller wrote:
> 
> >So, if I wanted to verify an XML file given a specific cert, I should
> >perform an xmlSecSimpleKeysMngrLoadPemKey() with the privateKey flag set
> >to 'public', then perform an xmlSecSimpleKeysMngrAddKey ()?
> >
> >Thanks,
> >
> >Devin
> >
> >On Tue, 2002-09-03 at 14:42, Aleksey Sanin wrote:
> >  
> >
> >>The cert will be saved to the keys file if (and only if) it is 
> >>associated with a key.
> >>xmlSecSimpleKeysMngrLoadPemCert() function has two purposes:
> >>    1) load a "trusted" cert (i.e. root CA cert)
> >>    2) load an "untrusted" cert which could be pointed from XML DSig 
> >><dsig:X509Data>
> >>    element by subject, issuer serial/issuer name or SKI 
> >>(http://www.w3.org/TR/xmldsig-core/#sec-X509Data)
> >>
> >>
> >>Aleksey
> >>
> >>Devin Heitmueller wrote:
> >>
> >>    
> >>
> >>>I am attempting to make use of the xmlSecSimpleKeysMngrLoadPemCert
> >>>facility to load a certificate from a file into the key manager.  The
> >>>call returns with  no errors, but it looks like the cert is never
> >>>actually added to the key manager store.
> >>>
> >>>I wrote some sample code to demonstrate the problem (see attached).  I
> >>>am attempting to add the DSA certificate dsacert.pem that is included
> >>>with the distribution in the "tests/keys" directory.  The sample code
> >>>creates the key manager instance, adds the certificate, then saves the
> >>>key manager contents out to an XML file.
> >>>
> >>>I suspect I am using the function wrong, but any advice that could be
> >>>offered would be greatly appreciated.
> >>>
> >>>Thanks,
> >>>
> >>> 
> >>>
> >>>------------------------------------------------------------------------
> >>>
> >>>-----BEGIN CERTIFICATE-----
> >>>MIIEvTCCBGegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBojELMAkGA1UEBhMCVVMx
> >>>EzARBgNVBAgTCkNhbGlmb3JuaWExJjAkBgNVBAoTHWh0dHA6Ly93d3cuYWxla3Nl
> >>>eS5jb20veG1sc2VjMRowGAYDVQQLExFTZWNvbmQgTGV2ZWwgQ2VydDEWMBQGA1UE
> >>>AxMNQWxla3NleSBTYW5pbjEiMCAGCSqGSIb3DQEJARYTYWxla3NleUBhbGVrc2V5
> >>>LmNvbTAeFw0wMjAzMjkyMjI2NTNaFw0wMzAzMjkyMjI2NTNaMIGkMQswCQYDVQQG
> >>>EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEmMCQGA1UEChMdaHR0cDovL3d3dy5h
> >>>bGVrc2V5LmNvbS94bWxzZWMxHDAaBgNVBAsTE0RTQSBLZXkgQ2VydGlmaWNhdGUx
> >>>FjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xIjAgBgkqhkiG9w0BCQEWE2FsZWtzZXlA
> >>>YWxla3NleS5jb20wggG2MIIBKwYHKoZIzjgEATCCAR4CgYEAimW6KYBPYXAf6itS
> >>>AuYs1aLPfs8/vBEiusv/pl1XMiuMvB7vyiJgSj8/NTkRci/UX/rVXv8rbCRjvYFX
> >>>3x5/53f4hc6HKz7JQI4qqB7Fl5N86zp+BsQxNQ4tzous9S2HTd2/zdTwVsvO+H9l
> >>>3FahmVp/m2IHE4W27JYoF49qP10CFQC//HNaqNG+J6STasxbfCliylP1SwKBgFCM
> >>>s1A5S3urggoBeEYffH4imb4OuFCeBTOS/lmwkjJlbBTdOn08Mct52jzzgs86Ln7B
> >>>7/wb3toL6w73dO/KF1iSX/QOOKSGZyZHYxIZtkbAxaVzatLTymRXI1bHZqoODF+m
> >>>DbsKb2bk8EqAxubtUDDdJph/YJmyE94/ceDDvuxGA4GEAAKBgDp/igSRN6tU0YRv
> >>>UbKTV9NVSOQtFc0suDf0MguGMxBDaKtxiZChyGKvoK6vWalfcYNhnqP95qoXXBDT
> >>>rWEZlhHzmSY9fKLpA+kzXHmEWeB4x4yt1mN8CtjlekDpcvpN38YBEKT/+yJQpGuW
> >>>CAi7h1626o5+W9F3CvS9hg7Vjso7o4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgB
> >>>hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
> >>>FEe1ThoXo+wDwzhsCfW0cuROuISWMIHHBgNVHSMEgb8wgbyAFHjXLZFhL5UiSrvh
> >>>1T3GJq+rl9IEoYGgpIGdMIGaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
> >>>cm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMSYwJAYDVQQKEx1odHRwOi8vd3d3LmFs
> >>>ZWtzZXkuY29tL3htbHNlYzEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEiMCAGCSqG
> >>>SIb3DQEJARYTYWxla3NleUBhbGVrc2V5LmNvbYIBATANBgkqhkiG9w0BAQQFAANB
> >>>AL2thaC8jmlUvEGLHR1B3+7XJho4sXllkHgclSXJnD/NGssj5XzQHpbLVSfNEEUe
> >>>JKG28F0vyT05hEsXAHAtg9o=
> >>>-----END CERTIFICATE-----
> >>> 
> >>>
> >>>------------------------------------------------------------------------
> >>>
> >>>/*
> >>>* Netilla License Display tool
> >>>* Devin J. Heitmueller Aug 27 2002
> >>>*/
> >>>
> >>>#include <stdio.h>
> >>>#include <string.h>
> >>>#include <stdlib.h>
> >>>
> >>>/*
> >>>* COMPAT using xml-config --cflags to get the include path this will
> >>>* work with both 
> >>>*/
> >>>#include <libxml/xmlmemory.h>
> >>>#include <libxml/parser.h>
> >>>
> >>>/* Required for xmlsec */
> >>>#include <xmlsec/xmlsec.h>
> >>>#include <xmlsec/xmldsig.h> 
> >>>#include <xmlsec/keysmngr.h>
> >>>#include <xmlsec/xmltree.h>
> >>>
> >>>int
> >>>main (int argc, char **argv)
> >>>{
> >>> xmlSecKeyPtr pubkey;
> >>> xmlSecDSigCtxPtr dsigCtx = NULL;
> >>> xmlSecKeysMngrPtr keysMngr = NULL; 
> >>> int load_pub_cert_result = 0;
> >>> int rnd_seed = 0;
> >>>
> >>> /** 
> >>>  * Init OpenSSL
> >>>  */    
> >>> while (RAND_status() != 1) {
> >>>   RAND_seed(&rnd_seed, sizeof(rnd_seed));
> >>> }
> >>> 
> >>> /*
> >>>  * Init libxml
> >>>  */     
> >>> xmlInitParser();
> >>> LIBXML_TEST_VERSION
> >>> 
> >>> /*
> >>>  * Init xmlsec
> >>>  */
> >>> xmlSecInit();    
> >>>
> >>> /** 
> >>>  * Create Keys managers
> >>>  */
> >>> keysMngr = xmlSecSimpleKeysMngrCreate();    
> >>> if(keysMngr == NULL) {
> >>>   fprintf(stderr, "Error: failed to create keys manager\n");
> >>>   return -1;
> >>> }
> >>>
> >>> /** 
> >>>  * Add the test cert to the public key list
> >>>  */
> >>> load_pub_cert_result = xmlSecSimpleKeysMngrLoadPemCert (keysMngr,
> >>>							  "dsacert.pem", 1);
> >>> if (load_pub_cert_result != 0)
> >>>   {
> >>>     fprintf(stderr, "Error: failed load public key\n");
> >>>     return -1;
> >>>   }
> >>>
> >>> /* Write the keys back to a file */
> >>> xmlSecSimpleKeysMngrSave(keysMngr, "test.xml", xmlSecKeyTypeAny);
> >>>
> >>> return 0;
> >>>}
> >>> 
> >>>
> >>>      
> >>>
> 
> 
-- 
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc