[xmlsec] Signing a document with key and cert..

Marius Kjeldahl marius at kjeldahl.net
Mon Nov 18 09:13:21 PST 2002

Aleksey Sanin wrote:
> I would suggest you to take a look at it. xmlsec command line utility is 
> the most complete example
> of all available functionality.

Ok, I just started looking at it, but I'm still struggling. First of all, I 
signed my private key using the aleksey.crt certificate. By using openssl x509 
-text -in privkey-cert.pem I am able to verify that it has been signed correctly 
using the aleksey certificate:

Issuer: C=US, ST=California, L=Sunnyvale, O=http://www.aleksey.com/xmlsec, 
CN=Aleksey Sanin/

Ok, fine. Then I further add a <X509Data> section in my message, and sign it using:

xmlsec sign --privkey privkey.pem,privkey-cert.pem org.xml > test.xml

Looking at the resulting document, I can verify that the X509Data still exist 
and has been filled with certificate data.

However, if I now try to verify the resulting document with:

xmlsec verify --trusted aleksey.crt test.xml

I get the following message:

xmlSecSignedInfoRead (xmldsig.c:1493): error 51: invalid reference :
= Status:
== Signatures ok: 0
== Signatures fail: 1
== SignedInfo Ref ok: 0
== SignedInfo Ref fail: 1
== Manifest Ref ok: 0
== Manifest Ref fail: 0
Error: operation failed

I have attached the resulting test.xml document in this email.

>>> So far I have not been able to find an example on how to use my key 
>>> AND the cert. An old posting from Aleksey mentions using 
>>> "xmlSecSimpleKeyMngrAddCertToKey, but I can find no such function. I 
>>> have also tried loading the key first, then the cert into the same 
>>> keysmngr using SimpleKeysMngrLoadPemKey followed by a 
>>> SimpleKeysMngrLoadPemCert, but I am not sure whether this means that 
>>> the cert will be used when signing (if I try to validate a document 
>>> after loading the key and cert, it will still not be verified with 
>>> the online verifier). I have also tried putting the key and cert into 
>>> the same file and load it with *LoadPemKey, but still no luck.
> In xmlsec 0.0.10 you can do following:
>    1) load the key and get xmlSecKeyPtr pointer (for example, using 
> xmlSecSimpleKeysMngrLoadPemKey
>    function)
>    2) load cert and add it to key using xmlSecKeyReadPemCert function
>    3) Put <dsig:509Data> element into the <dsig:KeyInfo> to force 
> writing cert into the key
> Instead of steps 1)  and 2) you can use xmlSecSimpleKeysMngrLoadPkcs12() 
> that loads key
> and cert(s) from pkcs12 file.

Since I am generating the documents dynamically, I guess I need to add the 
509Data node programatically. The way I do this is:

   cur = xmlSecKeyInfoAddKeyValue(keyInfoNode);
   if(cur == NULL) {
     fprintf(stderr,"Error: failed to add KeyValue node\n");

   cur = xmlSecKeyInfoAddX509Data(keyInfoNode);
   if(cur == NULL) {
     fprintf(stderr,"Error: failed to add X509Data node\n");

The KeyValue appears in the resulting document, but the X509Data does not. I 
suspect this has something to do with how I read the key and certificate. This 
part of the application is not in C, but in a script language named lua, but it 
should be straightforward to understand:

    io.write ("-- loading key\n")
    keyPtr = xmlSec.SimpleKeysMngrLoadPemKey (keysMngr, "privkey.pem", "")
    if (not keyPtr) then
       error ("ERROR")

    io.write ("-- assigning cert\n")
    if (not xmlSec.KeyReadPemCert (keyPtr, "privkey-cert.pem")) then
       error ("ERROR")

I am not sure this is (or should be) enough to generate a signed document, but 
from the output, something is obviously wrong since no 509Data section appears 
in the generated document (differently from the output of trying to do the same 
in xmlsec).

On another note, I've also tried reading the aleksey.key using:

    keyPtr = xmlSec.SimpleKeysMngrLoadPemKey (keysMngr, "aleksey.key", "1234")

and this fails with xmlSec it is not able to read the library. If I use:

openssl rsa -text -in aleksey.key

and input "1234" I get a textdump of the key. I have also verified that the bug 
is not in my lua binding of xmlsec (by outputting the parameters that I send to 
the C function).

Any idea why loadpemkey fails with a password? I'm running everything on Gentoo 
Linux if that matters.

Mvh, Marius Kjeldahl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.xml
Type: text/xml
Size: 2306 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20021118/f9bc81ed/test.xml

More information about the xmlsec mailing list