[xmlsec] Key management / certificate management

Aleksey Sanin aleksey at aleksey.com
Wed Sep 4 21:01:19 PDT 2002

As you correctly pointed out, the first your problem (limiting allowed 
keys sources
to x509 certs only) could be simply solved by setting "allowedOrigins" 
of  the xmlSecKeysMngr structure.
Regarding your other questions about certs validation, I have to note 
that the included
in XMLSec implementation of xmlSecKeysMngr interface is called "simple" :)
You can extend it or completely overwrite yourself :) You idea about 
using custom
verifyX509 callback is absolutely correct. Probably there is one more 
way (change
the OpenSSL verification callback) but I am not sure that  it is better 
(for example,
because this affects all x509 operations in your application).
There is no function to load trusted certs from something other than 
file or a folder.
Actually, it is a common practice that trusted certs are located in a 
protected folder
and you have read-only access to it (see Apache, Mozilla, IE, and other 
Of course, there are no reasons why you could not load the trusted cert 
from memory
or an XML file. You just need to do some copy/paste :)


Moultrie, Ferrell (ISSAtlanta) wrote:

>  I'd like to control what public keys and/or certs are used or usable
>for verifying data. In particular, I'd like to require that the public
>key be validated by a cert (i.e., that <sig:KeyValue> supplied
>unvalidated keys not be usable,and, I'd like to impose certain
>contraints on any cert used (e.g., validating Issuer, Subject, Usage,
>etc.). While I could search for a KeyValue node before calling
>validation, it seems like there may be a better way to accomplish this
>(below). Additionally, it looks like I could store a new verifyX509
>(xmlSecX509VerifyCallback) pointer in the xmlSecKeysMngr struct and
>intercept the cert verification. Still, since I'm very new to all of
>this, I'm wondering if there's not simpler/better/more direct ways to
>accomplish these types of checks. Any suggestions or pointers would be
>greatly appreciated!
>  It looks like setting the allowedOrigins flag of the xmlSecKeysMngr
>structure to xmlSecKeyOriginX509 may solve my first problem and ensure
>that only keys found in a X509 cert will be usable. Correct?
>  I don't see any such short-cut for validating the X509 cert contents
>other than the verifyX509 override I mentioned earlier. Any other way /
>better option?
>  Finally, it looks like xmlSecSimpleKeysMngrLoadPemCert() method can be
>used to load a trusted root certificate for X509 validation from a file.
>I'd rather not have a seperate file storing this information. Is there
>any way to load a trusted cert from a memory blob or perhaps from a
>second XML document/tree?
>  Ferrell
>Ferrell Moultrie (ferrell at iss.net)
>Software Engineer
>Internet Security Systems, Inc.
>6303 Barfield Road
>Atlanta, Georgia 30328
>Phone:  404-236-2600
>Direct: 404-236-2849
>Fax:    404-236-2632
>Internet Security Systems -- The Power to Protect
>xmlsec mailing list
>xmlsec at aleksey.com

More information about the xmlsec mailing list