[xmlsec] Verifying a signature against a PEM certificate, SOLUTION!

Asbjørn Oskal asbjorn.oskal at welldiagnostics.com
Tue Nov 26 03:46:50 PST 2002


I seem to have found a solution to my problem.

I wanted to use a X509 pem certificate to validate a signature but I did not
find a straightforward solution to load a public key from a certificate.
I have struggled a bit to work this out but it turned out wasn't so bad afterall. 
Since I could not load a PEM certificate directly I have to get the (in my case) 
RSA public key from the certificate and turn it into a xmlSecKeyPtr.

Here is my function which does that and returns an xmlSecKeyPtr:

static xmlSecKeyPtr ReadPublicKeyFromPemCert(const char* certFile){
 xmlSecKeyPtr retval = NULL; 

 // Load certificate from file
 FILE* fid = fopen(certFile, "r");
 X509* pCert = PEM_read_X509(fid, NULL, NULL, NULL);

 // Get the public key from the certificate
 EVP_PKEY *pPublicKey = X509_get_pubkey(pCert);

  printf("Failed to get public key from cert\n");
  return NULL;

 // I only handle RSA keys
 if(pPublicKey->type == EVP_PKEY_RSA){
  retval = xmlSecKeyCreate(xmlSecRsaKey, xmlSecKeyOriginX509);
  if(xmlSecRsaKeyGenerate(retval, pPublicKey->pkey.rsa) < 0){
   printf("Failed to generate public key from RSA key\n");
   return NULL;

  return retval;


 printf("Unknown public key type in cert");
 return NULL;

I then use this public key together with xmlSecDSigValidate and it seems to work Ok.

Please comment if you see something bad about this.

Thanks for all help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20021126/36f6e460/attachment.htm

More information about the xmlsec mailing list