[xmlsec] Verifying a signature against a PEM certificate

Moultrie, Ferrell (ISSAtlanta) FMoultrie at iss.net
Mon Nov 25 04:35:57 PST 2002

  More from the OpenSSL doc I quoted earlier:

The ApacheSSL documentation, and the docs for the SSLeay toolkit, refer to certificates and certificate requests as "PEM" files. They are not. ApacheSSL, like all SSL secure servers, uses the (standard) X.509 certificate format. X.509 certificates are binary files, which are difficult to send around by mail. So SSLeay stores them in BASE64 encoded format, between '-----BEGIN-----' and '-----END-----' lines. BASE64 encoding was defined as part of the (old) Privacy Enhanced Mail (PEM) specification, which is why the documentation calls them "PEM format" files.

  To convert my DER binary encoded X509 certs so that xmlSecSimpleKeysMngrLoadPemKey would load them I used:
x509 -inform der -text -in d:old_export.pem -out d:new_export.pem
  (the x509 utility is part of the openssl distribution)

If I understand your question, this should solve your problem.

-----Original Message-----
From: Asbjørn Oskal [mailto:asbjorn.oskal at welldiagnostics.com] 
Sent: Monday, November 25, 2002 7:19 AM
To: xmlsec at aleksey.com
Subject: Re: [xmlsec] Verifying a signature against a PEM certificate


It seems to me from the answers I have gotten that there are no easy ways to
verify XML-signatures against (the public key from) X509 PEM-certificate
The xmlSecSimpleKeysMngrLoadPemKey does not accept loading public keys from
such files.
It does only accept public key files starting with -----BEGIN PUBLIC
So, does any of you know a way of creating such public key files from X509

The question is really, how can one make sure the identity of the signer
without verifying the signature against a public key you know belongs to the
signer. Or is it possible to check who is the owner of the public key
contained in the KeyInfo?


xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list