[xmlsec] xmlse usage
aleksey at aleksey.com
Sun Dec 22 23:02:57 PST 2002
Please take a look at tests/testDSig.sh script. There are a lot of
different examples of xmlsec
and XML DSig usage. Also you might find some information by running
and 'xmlsec help-sign' :)
Regarding your question about using certs: --pubkey expects a public key
in PEM format.
Of course, using PEM cert with this option fails. And I am not sure I
understand why you
need certs in your case. I see 2 different possible cases here:
1) The signature was done using a private key and Alice embeds
cert(s) (or pointer to cert)
in the signature. XML DSig and xmlsec allows you to do this but this
means that you need
to specify cert(s) on signature stage. Check <dsig:X509Data />
element description in XML
DSig spec for details. Note, that certs are used to establish trust
"inside" XML DSig process.
2) The signature was done using a private key and Alice sends public
key to Bob using
some other trusted way (outside XMLDSig). In this case, the input
for XMLDSig (and xmlsec)
is just a public key. We do not care how we get it and how the trust
I guess, right now you are trying to do 2) and use cert just as a public
key. However, from
XMLSec point of view, this is "illegal". OpenSSL (and any other crypto
easy ways to get public key from the cert. Just pass it to the xmlsec
utility and everything
should work :) And of course, you can write your own code to extract key
and load in xmlsec
library keys manager. But I don't see a need for this in the xmlsec utility.
Wayne Cheng wrote:
>Thanks for your help, I modify xml.txt for the right signature
>algorithm. Now, the following signing works.
>xmlsec sign --privkey:signed ./signing.key xml.txt >xml.signed
>I wonder if it is possible to use the certificate to verify
>the signed document. So far, I can use the folllowing format
>to verify the signed document.
>xmlsec verify --print-signature .cert xml.signed
>If I use the format:
>xmlsec verify --pubkey:signed ./signing.cert xml.signed
>xmlsec verify --print-signature --pubkey:signed ./signing.cert xml.signed
>It will complain about the wrong format.
>--- Aleksey Sanin <aleksey at aleksey.com> wrote:
>>Forgot to say that algorithm and all other signature parameters used by
>>utility are in the templates file. Please read XML Digital Signature
>>spec for details.
>>Aleksey Sanin wrote:
>>>I am not sure I clear understand what does the "generation algorithm
>>>but assuming that server.key has a private RSA key then you should
>>>check that xml.txt
>>>template uses RSA-SHA1 signature algorithm. This is the only reasons I
>>>can think of for
>>>the error you have.
>>>BTW, I think it'll be very helpful if you send related files next time :)
>>>Wayne Cheng wrote:
>>>>Thank you so much for your quick response.
>>>>The server.key generation algorithm we used is RSA-sha1. I am not
>>>>sure where to
>>>>algorithm used for signature for xmlsec utility.
>>>>I tried the new format and it still not working. Also, I am not sure
>>>>for server is required or not.
>>>>bash-2.05$ xmlsec sign --privkey:server ./server.key xml.txt
>>>>xmlSecKeysMngrGetKey (keys.c:451): error 17: key not found :
>>>>xmlSecSignedInfoRead (xmldsig.c:1385): error 17: key not found :
>>>>xmlSecSignatureRead (xmldsig.c:1124): error 2: xmlsec operation failed :
>>>>ignedInfoRead - -1
>>>>xmlSecDSigGenerate (xmldsig.c:792): error 2: xmlsec operation failed :
>>>>natureRead - -1
>>>>Error: xmlSecDSigGenerate() failed
>>>>Error: operation failed
>>>xmlsec mailing list
>>>xmlsec at aleksey.com
>>xmlsec mailing list
>>xmlsec at aleksey.com
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>xmlsec mailing list
>xmlsec at aleksey.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the xmlsec