[xmlsec] Signing a document with key and cert..

Aleksey Sanin aleksey at aleksey.com
Sun Nov 17 16:15:02 PST 2002

Marius Kjeldahl wrote:

> Marius Kjeldahl wrote:
>> I'm trying to create signed xml documents and verify that they are 
>> correctly signed, but I'm having trouble.
>> Using the xmlsec examples,
> Here I really mean the examples on the xmlSec homepage. I have not 
> looked into the xmlsec tool which comes with the xmlsec distribution.

I would suggest you to take a look at it. xmlsec command line utility is 
the most complete example
of all available functionality.

>> I am able to create signed documents, but they all fail when I paste 
>> them into the online verifier (I guess when it works there, I am 
>> ready to try to do the same locally). I understand that any unsigned 
>> key will probably not be verified correctly, so I downloaded the 
>> "fake" root cert and corresponding private key. I further signed my 
>> local private key using the "fake" root cert. 
Why you don't want to try to verify document locally using xmlsec tool?

>> So far I have not been able to find an example on how to use my key 
>> AND the cert. An old posting from Aleksey mentions using 
>> "xmlSecSimpleKeyMngrAddCertToKey, but I can find no such function. I 
>> have also tried loading the key first, then the cert into the same 
>> keysmngr using SimpleKeysMngrLoadPemKey followed by a 
>> SimpleKeysMngrLoadPemCert, but I am not sure whether this means that 
>> the cert will be used when signing (if I try to validate a document 
>> after loading the key and cert, it will still not be verified with 
>> the online verifier). I have also tried putting the key and cert into 
>> the same file and load it with *LoadPemKey, but still no luck.
In xmlsec 0.0.10 you can do following:
    1) load the key and get xmlSecKeyPtr pointer (for example, using 
    2) load cert and add it to key using xmlSecKeyReadPemCert function
    3) Put <dsig:509Data> element into the <dsig:KeyInfo> to force 
writing cert into the key

Instead of steps 1)  and 2) you can use xmlSecSimpleKeysMngrLoadPkcs12() 
that loads key
and cert(s) from pkcs12 file.

>> Does anybody have an example on what needs to be done to create a 
>> signed document that can be verified with the online verifier, or any 
>> hints on what needs to be done?
Follow steps 1)-3) above and use key/cert known to the online verifier 
(see details on the page).
However, I would recommend to try the xmlsec utility. It's much more 
powerfull and you do not
have restriction to use specific keys / certs.


More information about the xmlsec mailing list