[xmlsec] Verifying a signature against a PEM certificate
Moultrie, Ferrell (ISSAtlanta)
FMoultrie at iss.net
Thu Nov 21 05:33:29 PST 2002
The keys manager does like/take the certs in the format you described. In fact, it requires them in that format rather than the binary format. OpenSSL is quite picky about this as the following snipped from some OpenSSL FAQ shows. I don't recall exactly where I clipped this from but I saved it since it's a useful explaination.
Error: "no start line:pem_lib.c" or "no end line:pem_lib.c".
Apache-SSL uses a toolkit called OpenSSL (formerly SSleay), by Eric Young, for its security routines. OpenSSL is very fussy about the format of certificate requests and certificates. In particular, the BEGIN and END lines must look like:
this is your certificate
in BASE64 encoding
for easy transport
Note, there are 5 dashes before and after the BEGIN and END text, and they must form the first and last lines of the certificate (as above). Be careful when you cut and pasted the certificate from the browser window into a text editor to create the certificate text file. Make sure you remove any trailing spaces, before and after the BEGIN or END lines, or you will see this error. On UNIX, you may also need to get rid of CTRL-M characters.
From: Asbjørn Oskal [mailto:asbjorn.oskal at welldiagnostics.com]
Sent: Thursday, November 21, 2002 5:15 AM
To: xmlsec at aleksey.com
Subject: [xmlsec] Verifying a signature against a PEM certificate
As I understand there are two ways to verify a signature against public keys not included in the signature itself.
Either load the public key and send it as a parameter to the xmlSecDSigValidate function or to add the public key to the Keymanager and use the xmlSecKeyOriginKeyManager flag so that the key manager are searched for a key to use when verifying.
I have tried both but does not break through.
I could not find a way to load a usable (public) xmlSecKey.
I tried to use xmlSecKeyReadPemCert and it read the file but then the keydata in the xmlSecKeyPtr was NULL and the key was rejected when I tried to use it.
I the tried to use the xmlSecSimpleKeysMngrLoadPemKey but it does not accept PEM-files starting with
"-----BEGIN CERTIFICATE-----" which my certificate dooes.
As I understand it is the PEM_read_PUBKEY openssl function that rejects the file.
Do external certificates have to be on this format or are there any other ways to load public keys from PEM certificatefiles starting with "-----BEGIN CERTIFICATE-----"?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the xmlsec