[xmlsec] Verifying a signature against a PEM certificate, SOLUTION!

Aleksey Sanin aleksey at aleksey.com
Tue Nov 26 08:14:08 PST 2002 

I think this is bad from security point of view. If you are extracting key
from certificate and using it alone, then you lose "validity" information.
IMHO, if you want to use X509 PKI then you should use certificates
directly instead of hacking them.
In XMLDSig you have several options:

    - add cert to signature 
(<dsig:X509Data><dsig:X509Certificate/><dsig:X509Data>)
    - add pointer to cert to signature (subject, ski, etc. in 
<dsig:X509Data>)
    - add pointer to the cert location to signature (<dsig:RetrievalMethod>)

All these methods are supported by XMLSec and I don't see reasons
for someone to extract key from cert directly.

Aleksey


Asbjørn Oskal wrote:

> Hi!
> I seem to have found a solution to my problem.
>  
> I wanted to use a X509 pem certificate to validate a signature but I 
> did not
> find a straightforward solution to load a public key from a certificate.
> I have struggled a bit to work this out but it turned out wasn't so 
> bad afterall.
> Since I could not load a PEM certificate directly I have to get the 
> (in my case)
> RSA public key from the certificate and turn it into a xmlSecKeyPtr.
>  
> Here is my function which does that and returns an xmlSecKeyPtr:
>  
>  
> static xmlSecKeyPtr ReadPublicKeyFromPemCert(const char* certFile){
>  xmlSecKeyPtr retval = NULL;
>  
>  // Load certificate from file
>  FILE* fid = fopen(certFile, "r");
>  X509* pCert = PEM_read_X509(fid, NULL, NULL, NULL);
>  fclose(fid);
>  
>  // Get the public key from the certificate
>  EVP_PKEY *pPublicKey = X509_get_pubkey(pCert);
>  
>  if(!pPublicKey){
>   printf("Failed to get public key from cert\n");
>  
>   return NULL;
>  }
>  
>  // I only handle RSA keys
>  if(pPublicKey->type == EVP_PKEY_RSA){
>   retval = xmlSecKeyCreate(xmlSecRsaKey, xmlSecKeyOriginX509);
>   if(xmlSecRsaKeyGenerate(retval, pPublicKey->pkey.rsa) < 0){
>    printf("Failed to generate public key from RSA key\n");
>    xmlSecKeyDestroy(retval);
>    EVP_PKEY_free(pPublicKey);
>      
>    return NULL;
>   }
>   EVP_PKEY_free(pPublicKey);
>  
>   return retval;
>  }
>  
>  EVP_PKEY_free(pPublicKey);
>  
>  printf("Unknown public key type in cert");
>  
>  return NULL;
> }
>  
>  
> I then use this public key together with xmlSecDSigValidate and it 
> seems to work Ok.
>  
> Please comment if you see something bad about this.
>  
> Thanks for all help!

More information about the xmlsec mailing list