[xmlsec] XMLsec Command Line Utility and MSCrypto
aleksey at aleksey.com
Thu Sep 18 13:24:02 PDT 2003
I can explain what happens in general. Suppose there is a command line
sign --pkcs12:test-key keys/EdCert.p12 --pwd 1234 something.tmpl
Then the following happens:
1) xmlsec loads key and certificate from keys/EdCert.p12 and puts this key
in default crypto keys manager with "test-key" name.
2) When xmlsec singns the something.tmpl and finds out that it needs a
key with a name "test-key", it requests keys manager to find such key
(internaly, the request is represented in xmlSecKeyReq object).
3) Keys manager does the search and finds the key we loaded on step 1).
4) xmlsec uses returned key for signature.
Note that on step 1) we used words "default crypto keys manager". This
- different crypto engines may have *different* default keys managers
(for example, OpenSSL uses plain stupid list of keys; NSS uses the same
plain list of keys and NSS key db; MSCrypto uses the same plain list of
and MS Crypto store)
- xmlsec command line utility uses "default" keys manager but application
might replace it with whatever is needed (for example, one might have
and/or certificates in a database)
Currently, xmlsec utility does not have an option that says "load key
and use *this*
key for signature or encryption". The key selection is done inderectly
thru keys manager
(i.e. signature/encryption template should have a key name that
references to a key
in keys manager). But you can do it in your application (if needed) by
siganture/encryption key in signature/encryption context. Also today you
can use the
"--session-key" option if you want to sign/encrypt something with
session key (specific
for this xml file). But the session key by itself would be encrypted
with an indirectly
selected key from keys manager. Again, in the application you can select
from your application directly (if you want).
Hope this make things a little bit more clear :)
More information about the xmlsec