[xmlsec] Loading a DER-encoded certificate

Jesse Pelton jsp at PKC.com
Mon Apr 7 10:23:08 PDT 2003

For reasons of backwards compatibility with an existing DSig implementation,
I can't assume that I have X509 data embedded in the signature (I assume
this is where XMLSec gets certificate data from in the scenario you
outlined) that I'm verifying, or that it would be understood if embedded in
a signature that I'm generating.  We exchange certificates with partners
when we establish a relationship, and look up keys by KeyName.

Why do you prefer PEM to DER?  They're simply alternate well-understood
encodings of exactly the same data, aren't they?  I'm not wedded to DER; if
XMLSec provides better support for PEM because you think it's better, my
life might be easier if I use that format.  (Windows seems to have a slight
preference for DER, so I figured I'd make my customers' lives easier by
using that format.  I don't think it's a big deal to use PEM instead.)

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com]
Sent: Monday, April 07, 2003 12:54 PM
To: Jesse Pelton
Cc: 'xmlsec at aleksey.com'
Subject: Re: [xmlsec] Loading a DER-encoded certificate

IMHO, using DER certificates is not as good as using PEM files.

The typical scenarion is:
    - signature:
        0) load private key and assign certificates (xmlsec has two ways 
to do this: pkcs12 files
       and pem files, if you need to load der files then you have to 
write a function by yourself);
        1) prepare template with <dsig:X509Data/> node;
        2) sign the document (this will put all the certificates 
associated with the signature key in the signature)

    - verification:
       0) load "trusted" (root) certificate
       1) verify signature (xmlsec will read and verify certs and 
extract key by itself).

More information about the xmlsec mailing list