[xmlsec] Using certificates for signature verification

Meg Morgan meg at votehere.net
Tue Feb 11 14:01:24 PST 2003

I'll help more if you need it, but look in openssl-xxx/apps/rsa.c and
grep for PEM_write_bio_PrivateKey and that should get you started generating
PEM keys.  Do what they do!  Gotta run ...  Similar situation for DSA keys.

meg morgan

Jesse Pelton wrote:
> I am modifying an existing application that signs and verifies documents to
> use XMLSec. We're currently using Microsoft's .NET implementation, which is
> a colossal pain, partly because most of our code is unmanaged, partly
> because the MS Crypto API is an unpredictable black box.
> When we sign a document, we put a key name (a certificate's common name)
> into (surprise) the <KeyName> element. That's the only information regarding
> keys in our document. To verify a signature, we extract the key name from
> the document and map it to a certificate containing the appropriate public
> key. This allows us to exchange signed documents with parties we trust by
> first exchanging standard X509 certificates. Each of us signs with the
> private key we've retained and verifies with the public key we've received
> in a certificate.
> I can't find a way to do this with XMLSec's simple key manager, and I'm not
> sure 1) whether I'm missing something, and if not, 2) what would be the best
> way to proceed.
> I need an xmlSecKeyPtr to pass to xmlSecDSigValidate(). The simple keys
> manager provides two functions that return key pointers:
> xmlSecSimpleKeysMngrFindKey() and xmlSecSimpleKeysMngrLoadPemKey(). I
> suspect the find function would work for me if I passed a key name, but the
> only way I can find to introduce a named key into the manager is by loading
> a PKCS12 file. The PEM key loader also might work, if I could figure out how
> to produce a PEM key file. Neither xmlsec nor openssl executables provide a
> way to do this that I could find.
> I also tried using xmlSecX509DataReadPemCert() together with
> xmlSecX509DataCreateKey(), but the latter call fails because the certificate
> hasn't been verified. It can't be verified unless it's in a store. If I put
> it in a store, I no longer have a way to get it, so I'm back where I
> started.
> Is the whole notion of using a certificate's public key to verify a
> signature wrong-headed in some way? (I have to wonder, since there seems to
> be no support provided for it.) If this is a reasonable approach, how can I
> accomplish it?
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

Meg Morgan                           425/450-2754
meg at votehere.net                   http://www.votehere.net

More information about the xmlsec mailing list