[xmlsec] XMLsec Command Line Utility and MSCrypto

Aleksey Sanin aleksey at aleksey.com
Thu Sep 18 13:24:02 PDT 2003

I can explain what happens in general. Suppose there is a command line 
like this:
    sign --pkcs12:test-key keys/EdCert.p12 --pwd 1234 something.tmpl

Then the following happens:

1) xmlsec loads key and certificate from keys/EdCert.p12 and puts this key
in default crypto keys manager with "test-key" name.
2) When xmlsec singns the something.tmpl and finds out that it needs a 
key with a name "test-key", it requests keys manager to find such key
(internaly, the request is represented in xmlSecKeyReq object).
3) Keys manager does the search and finds the key we loaded on step 1).
4) xmlsec uses returned key for signature.

Note that on step 1) we used words "default crypto keys manager". This 
means that
 - different crypto engines may have *different* default keys managers
 (for example, OpenSSL uses plain stupid list of keys; NSS uses the same
 plain list of keys and NSS key db; MSCrypto uses the same plain list of 
 and MS Crypto store)
 - xmlsec command line utility uses "default" keys manager but application
 might replace it with whatever is needed (for example, one might have 
all keys
 and/or certificates in a database)

Currently, xmlsec utility does not have an option that says "load key 
and use *this*
key for signature or encryption". The key selection is done inderectly 
thru keys manager
(i.e. signature/encryption template should have a key name that 
references to a key
in keys manager). But you can do it in your application (if needed) by 
setting desired
siganture/encryption key in signature/encryption context. Also today you 
can use the
"--session-key" option if you want to sign/encrypt something with 
session key (specific
for this xml file). But the session key by itself would be encrypted 
with an indirectly
selected key from keys manager. Again, in the application you can select 
second key
from your application directly (if you want).

Hope this make things a little bit more clear :)


More information about the xmlsec mailing list