[xmlsec] how does one actualy use the xmlsec1 command utility

Jon Bendtsen bendtsen at diku.dk
Tue Aug 24 07:17:28 PDT 2004 

I have some trouble getting xmlsec1 to work. It compiles fine (tried 
fink package
with openssl, and linux debian sarge with nss)

In both cases the manpage says
	       xmlsec1 - manual page for xmlsec1 1.2.5 (openssl)

The man page gives the impression that EVERY option can used with every 
command, but
xmlsec1 complains,
	"Error: parameter "--binary-data" is not supported or the requested
	feature might have been disabled during compilation.
	Error: invalid parameters"
and i couldnt find any parameters to --configure to enable binary data.


I have 2 different certificates i try with. They are in various 
formats, which i have translated with
openssl, and one created with openssl for use with openvpn, where it 
works fine.
The other certificate came as a .pkcs12 file, and is an from the 
official danish certificate authority.
I translated that to other formats with:
	openssl pkcs12 -in TDCDigitalSignatur.pkcs12 -out 
TDCDigitalSignatur.pem -des3
	openssl pkcs12 -in TDCDigitalSignatur.pkcs12 -export -out 
TDCDigitalSignatur.p12 -des3
	openssl pkcs12 -in TDCDigitalSignatur.pkcs12 -export -out 
TDCDigitalSignatur.p12 -des3
	openssl pkcs12 -in TDCDigitalSignatur.pkcs12 -export -out 
TDCDigitalSignatur.p12 -des3	openssl pkcs12 -in TDCDigitalSignatur.pem 
-export -out TDCDigitalSignatur.p12 -des3	openssl pkcs12 -in 
TDCDigitalSignatur.pem -export -out TDCDigitalSignatur.p12 -des3
	openssl x509 -issuer -in TDCDigitalSignatur.pem -out 
TDCDigitalSignatur.crt
	openssl pkcs12 -nokeys -clcerts -in TDCDigitalSignatur.p12 -out 
JonBendtsen.crt
The other certificate comes as these 4 files:
	ca.crt
	jon_bendtsen.crt
	jon_bendtsen.key
	jon_bendtsen.csr

I have tried to sign both an .svg and a .jpg, but with both cases it 
complains mostly about crypto,
or invalid parameters. Both certificates are protected by a password, 
and only using jon_bendtsen.key
did it ask for a password

here's my history output
     16  13:40   xmlsec1 --sign --binary-data danmark.jpg --output out 
--privkey-pem jon_bendtsen.key
     17  13:40   xmlsec1 --sign --output out --privkey-pem 
jon_bendtsen.key danmark.jpg
     18  13:40   xmlsec1 --sign --output out --privkey-pem 
jon_bendtsen.key danmark.jpg
     19  13:40   xmlsec1 --sign --output out --privkey-pem 
jon_bendtsen.key danmark.jpg
     20  15:57   xmlsec1 --sign --output out --privkey-pem 
jon_bendtsen.key skencil.svg
     21  16:00   xmlsec1 --sign-tmpl --output out --privkey-pem 
jon_bendtsen.key skencil.svg
     23  16:02   xmlsec1 --sign-tmpl --output out --privkey-pem 
jon_bendtsen.key --binary-data danmark.jpg
     24  16:02   man xmlsec1
     25  16:02   xmlsec1 --sign --output out --privkey-pem 
jon_bendtsen.key --binary-data danmark.jpg

testhost:/usr/src/sign# history | grep xmlsec1
   417  xmlsec1 --sign --output out.xml --pkcs12 
TDCDigitalSignatur.pkcs12 skencil.svg
   418  xmlsec1 --sign --output out.xml --pkcs12 TDCDigitalSignatur.p12 
skencil.svg
   419  xmlsec1 --sign --output out.xml --privkey-pem 
TDCDigitalSignatur.pem skencil.svg
   422  xmlsec1 --sign --output out.xml --privkey-pem jon_bendtsen.key 
skencil.svg
   423  xmlsec1 --sign --output out.xml --privkey-pem jon_bendtsen.key 
skencil.svg
   424  xmlsec1 --help-all
   425  xmlsec1 --help-sign
   426  xmlsec1 --sign --print-debug --output out.xml --privkey-pem 
jon_bendtsen.key skencil.svg
   427  xmlsec1 --sign --print-debug --output out.xml --privkey-pem 
jon_bendtsen.key skencil.svg --binary-data danmark.jpg
   428  xmlsec1 --sign --print-debug --binary-data danmark.jpg --output 
out.xml --privkey-pem jon_bendtsen.key skencil.svg


Ultimately i'm trying to make a browser caable of verifying signatures 
on files/pages/pictures/... and would prefer having
xml sig support since it probably is the future. (Do i have to include 
the data in the xml sig file, cant i just write in the URI
field where the data actualy is?)
But first i want xmlsec1 to sign and then verify some files.

I'm unsure about the difference between --sign and --sign-tmpl, as i 
only want to provide the data i want to sign, and a
key/certificate/... and then xmlsec1 gives me either an .xml embedding 
the data, either text or binary, or provide an URI
to it.



JonB

More information about the xmlsec mailing list