[xmlsec] xmlse usage

Aleksey Sanin aleksey at aleksey.com
Sun Dec 22 23:02:57 PST 2002

Please take a look at tests/testDSig.sh script. There are a lot of 
different examples of xmlsec
and XML DSig usage. Also you might find some information by running 
'xmlsec help-verify'
and 'xmlsec help-sign' :)

Regarding your question about using certs: --pubkey expects a public key 
in PEM format.
Of course, using PEM cert with this option fails. And I am not sure I 
understand why you
need certs in your case. I see 2 different possible cases here:
    1) The signature was done using a private key and Alice embeds 
cert(s) (or pointer to cert)
    in the signature. XML DSig and xmlsec allows you to do this but this 
means that you need
    to specify cert(s) on signature stage. Check <dsig:X509Data /> 
element description in XML
    DSig spec for details. Note, that certs are used to establish trust 
"inside" XML DSig process.
    2) The signature was done using a private key and Alice sends public 
key to Bob using
    some other trusted way (outside XMLDSig). In this case, the input 
for XMLDSig (and xmlsec)
    is just a public key. We do not care how we get it and how the trust 
was established.
I guess, right now you are trying to do 2) and use cert just as a public 
key. However, from
XMLSec point of view, this is "illegal". OpenSSL (and any other crypto 
toolkit) provides
easy ways to get public key from the cert. Just pass it to the xmlsec 
utility and everything 
should work :) And of course, you can write your own code to extract key 
and load in xmlsec
library keys manager. But I don't see a need for this in the xmlsec utility.


Wayne Cheng wrote:

>Hi Aleksey,
>Thanks for your help, I modify xml.txt for the right signature
>algorithm. Now, the following signing works. 
>xmlsec sign  --privkey:signed ./signing.key xml.txt >xml.signed
>I wonder if it is possible to use the certificate to verify
>the signed document. So far, I can use the folllowing format
>to verify the signed document. 
>xmlsec verify --print-signature .cert xml.signed 
>If I use the format:
>xmlsec verify --pubkey:signed ./signing.cert xml.signed
>xmlsec verify --print-signature  --pubkey:signed ./signing.cert xml.signed
>It will complain about the wrong format. 
>--- Aleksey Sanin <aleksey at aleksey.com> wrote:
>>Forgot to say that algorithm and all other signature parameters used by 
>>utility are in the templates file. Please read XML Digital Signature 
>>spec for details.
>>Aleksey Sanin wrote:
>>>I am not sure I clear understand what does the "generation algorithm 
>>>RSA-SHA1" mean
>>>but assuming that server.key has a private RSA key then you should 
>>>check that xml.txt
>>>template uses RSA-SHA1 signature algorithm. This is the only reasons I 
>>>can think of for
>>>the error you have.
>>>BTW, I think it'll be very helpful if you send related files next time :)
>>>Wayne Cheng wrote:
>>>>Thank you so much for your quick response.
>>>>The server.key generation algorithm we used is RSA-sha1. I am not 
>>>>sure where to
>>>>algorithm used for signature for xmlsec utility.
>>>>I tried the new format and it still not working. Also, I am not sure 
>>>>if rename
>>>>for server is required or not.
>>>>bash-2.05$ xmlsec sign --privkey:server ./server.key xml.txt
>>>>xmlSecKeysMngrGetKey (keys.c:451): error 17: key not found :
>>>>xmlSecSignedInfoRead (xmldsig.c:1385): error 17: key not found :
>>>>xmlSecSignatureRead (xmldsig.c:1124): error 2: xmlsec operation failed :
>>>>ignedInfoRead - -1
>>>>xmlSecDSigGenerate (xmldsig.c:792): error 2: xmlsec operation failed :
>>>>natureRead - -1
>>>>Error: xmlSecDSigGenerate() failed
>>>>Error: operation failed
>>>xmlsec mailing list
>>>xmlsec at aleksey.com
>>xmlsec mailing list
>>xmlsec at aleksey.com
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>xmlsec mailing list
>xmlsec at aleksey.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20021222/212ab980/attachment.htm

More information about the xmlsec mailing list