[xmlsec] How to sign without an exportable key

Erik F. Andersen ea at ascott.dk
Sat Jan 22 07:24:42 PST 2005


Up until now I have used a PKCS#12 file to sign documents in xmlsec (using MSCrypto). Now I'm faced with the problem that I cannot create a PKCS#12 file because the private keys are not exportable. How can I handle this in xmlsec?

I was thinking about something like this:

1) First I retrieve a PCERT_CONTEXT from MSCrypto 
2) Now I call xmlSecMSCryptoCertAdopt to get a xmlSecKeyDataPtr
3) Third I create a new xmlSecKeyPtr by calling xmlSecKeyCreate
4) Now I call xmlSecKeySetValue(xmlSecKeyPtr, xmlSecKeyDataPtr)
5) I now create a xmlSecDSigCtx using xmlSecDSigCtxCreate
6) I can now assign xmlSecDSigCtx->signKey with the xmlSecKeyPtr
7) Last I call xmlSecDSigCtxSign

Will this approach work and is it a good one?

At what stage will MSCrypto ask me to enter the password in order to encrypt the document (my guess is at stage 7). 

If I have several documents that need signing will this method force MSCrypto to prompt me for a password every time or is there a way around this problem? I thought about using a keys manager but I have no idea how to do this and even if it will solve my problem.

I have looked through all examples without getting a clear idea on how to solve my problem.

Erik F. Andersen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20050122/248c04dd/attachment-0002.htm

More information about the xmlsec mailing list