[xmlsec] xmlsec

Alexander Trishin trial at trishin.com
Fri Dec 23 09:19:37 PST 2005


I'm using xCBL 4.0 documents which define dgs prefix for xmldsig
<Invoice xmlns:dgs="http://www.w3.org/2000/09/xmldsig#" >
So I'm defining signature template as
<dgs:Signature>
    <dgs:SignedInfo>
        <dgs:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <dgs:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <dgs:Reference URI="">
            <dgs:Transforms>
                <dgs:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </dgs:Transforms>
            <dgs:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <dgs:DigestValue/>
        </dgs:Reference>
    </dgs:SignedInfo>
    <dgs:SignatureValue/>
    <dgs:KeyInfo>
        <dgs:KeyName/>
        <dgs:X509Data><dgs:X509Certificate/>
        </dgs:X509Data>
    </dgs:KeyInfo>
</dgs:Signature>

After document is signed all elements still have dgs prefix but 
X509Certificate:
        <dgs:X509Data>
        <X509Certificate 
xmlns="http://www.w3.org/2000/09/xmldsig#">MIICAjCCAWugAwIBAgIQnS98DETrP7RGkaTvoI4evjANBgkqhkiG9w0BAQQFADAY
[skip]
</X509Certificate>
</dgs:X509Data>

Although it does not create a verification problem, I find it strange. 
Is there a way to keep it consistent?

Thank you,
Alex.


Edward Shallow wrote:

>Hi Alex,
>
>   Aleksey did understand you correctly. Simply initialize the <KeyName> in
>a template file (sample attached) and the private signing key will be
>extracted from the MS system key store (i.e. 'MY'). Rough sequence of calls
>(simplified) as follows: 
>
>    xmlParseFile('the template')
>    xmlDocGetRootElement()
>    xmlSecFindNode(rootNode, 'Signature',
>'http://www.w3.org/2000/09/xmldsig#')
>    xmlSecKeysMngrCreate()
>    xmlSecCryptoAppDefaultKeysMngrInit(keysMngr)
>    xmlSecDSigCtxCreate()
>    xmlSecDSigCtxInitialize(dsigCtx, keysMngr)
>    xmlSecDSigCtxSign(dsigCtx, sigNode)
>
>   Depending on which crypto you are using the <KeyName> can contain either
>the short friendly name (from CN=...) or the full X509 Distinguished Name.
>Both will work. mscrypto for example will look first in the Simple Key Store
>if you have adopted one and then in the 'MY' certificate store for your
>signing key. In the above sequence, I did not load or adopt a Key Store, so
>mscrypto goes directly to the system key store 'MY'.
>
>   Note: OpenSSL does not have a system key store.
>
>Cheers,
>Ed 
>
>
>
>-----Original Message-----
>From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
>Behalf Of Alexander Trishin
>Sent: December 19, 2005 7:00 PM
>To: Aleksey Sanin
>Cc: xmlsec at aleksey.com
>Subject: Re: [xmlsec] xmlsec
>
>Aleksey,
>
>I probably didn't make myself clear.
>I'm looking at the code to produce a signed xml, the key info and
>certificate come from the external file for the sample.
>My question is - what functions should I use to change that? So that key
>info and Certificate come from the system store, and not from the file.
>
>Thank you in advance,
>Alex
>
>Aleksey Sanin wrote:
>
>  
>
>>I am not a big mscrypto user myself and I hope someone will correct my 
>>lies here... but I believe that you just need to put the key name 
>>(i.e. certificate subject) into the <KeyName> element of your 
>>signature template.
>>
>>Aleksey
>>
>>Alexander Trishin wrote:
>>
>>    
>>
>>>Dear Friends,
>>>
>>>I'm trying to create a test console app to sign XML files with the
>>>X509 certificate. I took a look at samples provided but yet to figure 
>>>out how do I sign an XML file with the Certificate that I already 
>>>have in "MY" store. Certificate does have a private key.
>>>
>>>If someone can point me in the right direction or has sample I'd be 
>>>greatly appreciated.
>>>
>>>Platform is Windows with ms crypto library.
>>>
>>>Thank you,
>>>Alex.
>>>_______________________________________________
>>>xmlsec mailing list
>>>xmlsec at aleksey.com
>>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>>      
>>>
>>
>>
>>    
>>
>_______________________________________________
>xmlsec mailing list
>xmlsec at aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
>  
>



More information about the xmlsec mailing list