[xmlsec] remote or external private keys

Quenin Bertrand bquenin at axway.com
Tue Sep 28 05:01:36 PDT 2004

	I'd like to implement another (proprietary) PKI and crypto engine with xmlsec. Crypto engine seems to be well segmented in the api as far as i can see, but PKI material seems not. I was wondering if it was possible to use external (or remote) private keys. Let me explain my point of view. I need to reference keys via criterion (such as aliases or key parameters) but i have no direct access to private keys. I've noticed the following problems:

1) Custom keys store don't provide any certificate or X509 Data based retrieval method, i only found this method which is obviously based on a character string.

XMLSEC_EXPORT xmlSecKeyPtr              xmlSecKeysMngrFindKey           (xmlSecKeysMngrPtr mngr,
                                                                         const xmlChar* name,
                                                                         xmlSecKeyInfoCtxPtr keyInfoCtx);

So, even if i wanted to implement a custom keys store, I won't be able to select corresponding key on signature verification for example (considering envelope use X509IssuerSerial KeyInfo element).

2) Keys are represented under proprietary format. I said I can't access to private keys directly but I have a set of criterion identifying a key (more precisely a certificate). How can I configure xmlsec for signature operation using such key description ?

Here is a small schema of what I want to achieve:

     Private key descriptor
  (few parameters like aliases,
    I.e. certificate alias)
    |My Security Library|
    --------------------   (2) Use the key handle  --------------------
    |      xmlsec      |---------------------------| My Crypto engine |
    --------------------   retrieved in my PKI DB  --------------------
             |          for performing the signature
     (1) Retrieve a key
     handle via the key
    |     My PKI DB    |

Thanks in advance

More information about the xmlsec mailing list