[xmlsec] Issues using xmlsec for SAML

Dave Chapman dave at dchapman.com
Mon May 26 13:36:18 PDT 2008


The application I'm working on receives XML documents from a third 
party, and I need to verify the signature to both test message integrity 
and to ensure that it has come from this specific third party.

The entire certificate chain, excluding the root certificate (belonging 
to a commercial CA), is embedded in the X509Data element in the signature.

I can verify the signature successfully, but the only result I can seem 
to get from xmlsec is "success".  I haven't managed to find a way to 
extract the Subject/Issuer information from the certificate chain used 
to verify the signature.

If I call the function xmlSecKeyDebugDump after the signature has been 
verified, then I can see the required information displayed, but after 
following that function in the xmlsec source, I see it goes down to the 
level of using openssl functions, and there doesn't appear to be any way 
to access that information via the xmlsec API (apart from the various 
DebugDump functions).

Am I missing something?  Is there a way I can limit my program to only 
accept files signed by a particular entity?  Or is the only way to use 
openssl's functions to access this information?

My workaround for the moment is to parse the output of the 
xmlSecKeyDebugDump function in Perl, but I'm assuming that's not the 
intended way to do things...



More information about the xmlsec mailing list