[xmlsec] Loading a DER-encoded certificate

Aleksey Sanin aleksey at aleksey.com
Mon Apr 7 09:54:28 PDT 2003

Jesse Pelton wrote:

>Shucks. It seemed like such a good fit. What's xmlSecKeyReadBinaryFile()
>intended for? Is it specific to DES keys?
Yes. DES, AES, HMAC, etc.

>Before I clone a bunch of code, would xmlSecKeyDataBinRead() (which requires
>me to read the file off disk myself) be a better fit?
Well, I am not sure I have any other option for you. IMHO, using DER 
is not as good as using PEM files.

>Maybe I'm completely wrong-headed about this.  What I want to do is verfiy
>signatures using public keys from certificates.  I also want to be able to
>inspect certificate contents (issuer, serial number, etc).  I think this
>means that I need to load the keys into a keys manager (and give them names
>so they can be located by the signature code).  Is there a better approach?
Well, it depends on what you actually want to do. The typical scenarion is:
    - signature:
        0) load private key and assign certificates (xmlsec has two ways 
to do this: pkcs12 files
       and pem files, if you need to load der files then you have to 
write a function by yourself);
        1) prepare template with <dsig:X509Data/> node;
        2) sign the document (this will put all the certificates 
associated with the signature key in the signature)

    - verification:
       0) load "trusted" (root) certificate
       1) verify signature (xmlsec will read and verify certs and 
extract key by itself).


More information about the xmlsec mailing list