[xmlsec] XMLsec Command Line Utility and MSCrypto

Edward Shallow ed.shallow at rogers.com
Thu Sep 18 13:06:53 PDT 2003

I think I got the answer I was looking for, but please explain exactly how
(that is with which command line sub-argument) do I identify private and
public (or both) keys when doing for example a sign or an encrpyt.

In other words today with OpenSSL I just say the following on the command

> sign --pkcs12 keys/EdCert.p12 --pwd 1234 .....


> encrypt --pubkey-pem keys/EdPub.pem --session-key des-192 ...

What do I say when referring to these keys in the MS world ? Are there
subtle command line syntax differences ? Lastly, when using our
XMLSec-enabled application in a real MS Crypto Store world there will be no
pkcs12s lying around.



-----Original Message-----
From: xmlsec-admin at aleksey.com [mailto:xmlsec-admin at aleksey.com] On Behalf
Of Wouter
Sent: September 18, 2003 2:37 PM
To: 'Aleksey Sanin'; 'Edward Shallow'
Cc: xmlsec at aleksey.com


Aleksey is right here. Currently the key or certificate can be loaded by
giving it's keyname. However there are a few angles here (when I use
certificate, I mean actually certificate *with* public/private keypair,
since the certificate is the identifier for the keys with MS):

If more then 1 certificate is available in your certificate store with the
same name (I think it's even quite a big change that will happen), only the
first found will be loaded.
If you look for a certificate that does not reside in your personal local
default store, it will not be found.

I think there is a need to load the keys with other parameters as well,
possibly with a (limited?) support from the command line. I think for
example that the NSS Keys database also can benefit with a more generic
interface in the loading of keys (for example using another then default key
db)? I was thinking about a more generic approach here where some kind of
'search parameter(s)' can be set for finding keys (and possible
certificates) (setKeySearchParameter(enum searchType, *value)). The type of
search parameters supported by a keys manager can be different for each keys

This story is a bit vague probably, and interferes perhaps with the keyinfo
context, but I had no clear idea yet, how this can fit in the xmlsec

Another (a bit related) thing I ran into is the lack of support for loading
keys from memory. I know OpenSSL crypto implementation supports this
feature, but it isn't propagated in the generic interface. Are there plans
into this direction?


> -----Original Message-----
> From: xmlsec-admin at aleksey.com
> [mailto:xmlsec-admin at aleksey.com] On Behalf Of Aleksey Sanin
> Sent: Thursday, September 18, 2003 21:12
> To: Edward Shallow
> Cc: xmlsec at aleksey.com
> Subject: Re: [xmlsec] XMLsec Command Line Utility and MSCrypto
> I am not sure I clear understand what do you want to do. The 
> "--pkcs12", "--privkey", etc.
> just load the key from a file and put it into the keys manager. The 
> key then could be refered to by name from xml files. If I understand 
> the MSCrypto implementation correctly, you should be able to refer to 
> the exsiting key in MS Crypto store by name w/o any special "loading"
> because default keys manager for MSCrypto does look for key in MS 
> Crypto store.
> Wouter?
> Aleksey
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec

xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list