[xmlsec] Problem with xmlSecSimpleKeysMngrLoadPemCert
Aleksey Sanin
aleksey at aleksey.com
Tue Sep 3 13:51:11 PDT 2002
All we are humans and all we make errors :) Have fun :)
Aleksey
Devin Heitmueller wrote:
>Never mind. I figured out the problem. I used the wrong private key
>when I signed the XML file, and spent an hour trying to figure out why
>it wouldn't validate.
>
>Ok, I'm stupid.
>
>-Devin
>
>On Tue, 2002-09-03 at 15:56, Devin Heitmueller wrote:
>
>
>>Ok, let me give some more detail.
>>
>>The goal is to run an application, providing it with an XML file that is
>>signed with a DSA private key. The application should validate the
>>signature using the DSA public key stored in a separate file on the
>>local workstation.
>>
>>The creation and signing of the XML file appears to work fine. I do not
>>embed the key in the XML file itself.
>>
>>The verification application should load the DSA public key into the key
>>list, then validate the XML document signature with the DSA public key.
>>
>>I used xmlSecSimpleKeysMngrLoadPemKey to load the public key, providing
>>NULL for the keyPwd and keyPwdCallback arguments. It's not returning
>>any errors, but I am still not sure if the public key is actually being
>>loaded into the keylist.
>>
>>The basic problem seems to be getting the DSA public key from the PEM
>>encoded file into an xmlSecKeyPtr structure, which I can provide as a
>>argument to xmlSecDSigValidate().
>>
>>Thanks,
>>
>>-Devin
>>
>>On Tue, 2002-09-03 at 15:04, Aleksey Sanin wrote:
>>
>>
>>>I am not sure I clear understand what do you mean by "verify an XML file
>>>given
>>>a specific cert". From you XML file you should point to the given key known
>>>to application or provide the key in the signature (may be in cert).
>>>And on the application side you need to have this key available or know
>>>how to get
>>>key from the file. For example, in XML file you can include a full cert
>>>and application
>>>should be able to verify cert and extract key.
>>>XMLSec library extracts the public key from provided cert automatically
>>>but the key
>>>is *not* included in the keys list. You can point to a cert using issuer
>>>serial/name,
>>>subject, SKI and if such cert was loaded with
>>>xmlSecSimpleKeysMngrLoadPemKey()
>>>it will be found and key extracted.
>>>
>>>Aleksey
>>>
>>>
>>>Devin Heitmueller wrote:
>>>
>>>
>>>
>>>>So, if I wanted to verify an XML file given a specific cert, I should
>>>>perform an xmlSecSimpleKeysMngrLoadPemKey() with the privateKey flag set
>>>>to 'public', then perform an xmlSecSimpleKeysMngrAddKey ()?
>>>>
>>>>Thanks,
>>>>
>>>>Devin
>>>>
>>>>On Tue, 2002-09-03 at 14:42, Aleksey Sanin wrote:
>>>>
>>>>
>>>>
>>>>
>>>>>The cert will be saved to the keys file if (and only if) it is
>>>>>associated with a key.
>>>>>xmlSecSimpleKeysMngrLoadPemCert() function has two purposes:
>>>>> 1) load a "trusted" cert (i.e. root CA cert)
>>>>> 2) load an "untrusted" cert which could be pointed from XML DSig
>>>>><dsig:X509Data>
>>>>> element by subject, issuer serial/issuer name or SKI
>>>>>(http://www.w3.org/TR/xmldsig-core/#sec-X509Data)
>>>>>
>>>>>
>>>>>Aleksey
>>>>>
>>>>>Devin Heitmueller wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>I am attempting to make use of the xmlSecSimpleKeysMngrLoadPemCert
>>>>>>facility to load a certificate from a file into the key manager. The
>>>>>>call returns with no errors, but it looks like the cert is never
>>>>>>actually added to the key manager store.
>>>>>>
>>>>>>I wrote some sample code to demonstrate the problem (see attached). I
>>>>>>am attempting to add the DSA certificate dsacert.pem that is included
>>>>>>with the distribution in the "tests/keys" directory. The sample code
>>>>>>creates the key manager instance, adds the certificate, then saves the
>>>>>>key manager contents out to an XML file.
>>>>>>
>>>>>>I suspect I am using the function wrong, but any advice that could be
>>>>>>offered would be greatly appreciated.
>>>>>>
>>>>>>Thanks,
>>>>>>
>>>>>>
>>>>>>
>>>>>>------------------------------------------------------------------------
>>>>>>
>>>>>>-----BEGIN CERTIFICATE-----
>>>>>>MIIEvTCCBGegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBojELMAkGA1UEBhMCVVMx
>>>>>>EzARBgNVBAgTCkNhbGlmb3JuaWExJjAkBgNVBAoTHWh0dHA6Ly93d3cuYWxla3Nl
>>>>>>eS5jb20veG1sc2VjMRowGAYDVQQLExFTZWNvbmQgTGV2ZWwgQ2VydDEWMBQGA1UE
>>>>>>AxMNQWxla3NleSBTYW5pbjEiMCAGCSqGSIb3DQEJARYTYWxla3NleUBhbGVrc2V5
>>>>>>LmNvbTAeFw0wMjAzMjkyMjI2NTNaFw0wMzAzMjkyMjI2NTNaMIGkMQswCQYDVQQG
>>>>>>EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEmMCQGA1UEChMdaHR0cDovL3d3dy5h
>>>>>>bGVrc2V5LmNvbS94bWxzZWMxHDAaBgNVBAsTE0RTQSBLZXkgQ2VydGlmaWNhdGUx
>>>>>>FjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xIjAgBgkqhkiG9w0BCQEWE2FsZWtzZXlA
>>>>>>YWxla3NleS5jb20wggG2MIIBKwYHKoZIzjgEATCCAR4CgYEAimW6KYBPYXAf6itS
>>>>>>AuYs1aLPfs8/vBEiusv/pl1XMiuMvB7vyiJgSj8/NTkRci/UX/rVXv8rbCRjvYFX
>>>>>>3x5/53f4hc6HKz7JQI4qqB7Fl5N86zp+BsQxNQ4tzous9S2HTd2/zdTwVsvO+H9l
>>>>>>3FahmVp/m2IHE4W27JYoF49qP10CFQC//HNaqNG+J6STasxbfCliylP1SwKBgFCM
>>>>>>s1A5S3urggoBeEYffH4imb4OuFCeBTOS/lmwkjJlbBTdOn08Mct52jzzgs86Ln7B
>>>>>>7/wb3toL6w73dO/KF1iSX/QOOKSGZyZHYxIZtkbAxaVzatLTymRXI1bHZqoODF+m
>>>>>>DbsKb2bk8EqAxubtUDDdJph/YJmyE94/ceDDvuxGA4GEAAKBgDp/igSRN6tU0YRv
>>>>>>UbKTV9NVSOQtFc0suDf0MguGMxBDaKtxiZChyGKvoK6vWalfcYNhnqP95qoXXBDT
>>>>>>rWEZlhHzmSY9fKLpA+kzXHmEWeB4x4yt1mN8CtjlekDpcvpN38YBEKT/+yJQpGuW
>>>>>>CAi7h1626o5+W9F3CvS9hg7Vjso7o4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgB
>>>>>>hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
>>>>>>FEe1ThoXo+wDwzhsCfW0cuROuISWMIHHBgNVHSMEgb8wgbyAFHjXLZFhL5UiSrvh
>>>>>>1T3GJq+rl9IEoYGgpIGdMIGaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
>>>>>>cm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMSYwJAYDVQQKEx1odHRwOi8vd3d3LmFs
>>>>>>ZWtzZXkuY29tL3htbHNlYzEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEiMCAGCSqG
>>>>>>SIb3DQEJARYTYWxla3NleUBhbGVrc2V5LmNvbYIBATANBgkqhkiG9w0BAQQFAANB
>>>>>>AL2thaC8jmlUvEGLHR1B3+7XJho4sXllkHgclSXJnD/NGssj5XzQHpbLVSfNEEUe
>>>>>>JKG28F0vyT05hEsXAHAtg9o=
>>>>>>-----END CERTIFICATE-----
>>>>>>
>>>>>>
>>>>>>------------------------------------------------------------------------
>>>>>>
>>>>>>/*
>>>>>>* Netilla License Display tool
>>>>>>* Devin J. Heitmueller Aug 27 2002
>>>>>>*/
>>>>>>
>>>>>>#include <stdio.h>
>>>>>>#include <string.h>
>>>>>>#include <stdlib.h>
>>>>>>
>>>>>>/*
>>>>>>* COMPAT using xml-config --cflags to get the include path this will
>>>>>>* work with both
>>>>>>*/
>>>>>>#include <libxml/xmlmemory.h>
>>>>>>#include <libxml/parser.h>
>>>>>>
>>>>>>/* Required for xmlsec */
>>>>>>#include <xmlsec/xmlsec.h>
>>>>>>#include <xmlsec/xmldsig.h>
>>>>>>#include <xmlsec/keysmngr.h>
>>>>>>#include <xmlsec/xmltree.h>
>>>>>>
>>>>>>int
>>>>>>main (int argc, char **argv)
>>>>>>{
>>>>>>xmlSecKeyPtr pubkey;
>>>>>>xmlSecDSigCtxPtr dsigCtx = NULL;
>>>>>>xmlSecKeysMngrPtr keysMngr = NULL;
>>>>>>int load_pub_cert_result = 0;
>>>>>>int rnd_seed = 0;
>>>>>>
>>>>>>/**
>>>>>> * Init OpenSSL
>>>>>> */
>>>>>>while (RAND_status() != 1) {
>>>>>> RAND_seed(&rnd_seed, sizeof(rnd_seed));
>>>>>>}
>>>>>>
>>>>>>/*
>>>>>> * Init libxml
>>>>>> */
>>>>>>xmlInitParser();
>>>>>>LIBXML_TEST_VERSION
>>>>>>
>>>>>>/*
>>>>>> * Init xmlsec
>>>>>> */
>>>>>>xmlSecInit();
>>>>>>
>>>>>>/**
>>>>>> * Create Keys managers
>>>>>> */
>>>>>>keysMngr = xmlSecSimpleKeysMngrCreate();
>>>>>>if(keysMngr == NULL) {
>>>>>> fprintf(stderr, "Error: failed to create keys manager\n");
>>>>>> return -1;
>>>>>>}
>>>>>>
>>>>>>/**
>>>>>> * Add the test cert to the public key list
>>>>>> */
>>>>>>load_pub_cert_result = xmlSecSimpleKeysMngrLoadPemCert (keysMngr,
>>>>>> "dsacert.pem", 1);
>>>>>>if (load_pub_cert_result != 0)
>>>>>> {
>>>>>> fprintf(stderr, "Error: failed load public key\n");
>>>>>> return -1;
>>>>>> }
>>>>>>
>>>>>>/* Write the keys back to a file */
>>>>>>xmlSecSimpleKeysMngrSave(keysMngr, "test.xml", xmlSecKeyTypeAny);
>>>>>>
>>>>>>return 0;
>>>>>>}
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
>>>
>>--
>>Devin Heitmueller
>>Senior Software Engineer
>>Netilla Networks Inc
>>
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
More information about the xmlsec
mailing list