[xmlsec] wsse tokens and encryption

Aleksey Sanin aleksey at aleksey.com
Thu Jun 19 10:16:54 PDT 2008

If you have only public keys then you should not use pkcs12


You can try to load the public key directly from the certificate
using "--pubkey-cert-pem" command line option for xmlsec utility.


Brian.Myers at zootweb.com wrote:
> Thank you, loading a pkcs12 file worked!  I created a pkcs12 file with 
> my public cert and private key.
> I loaded it into xmlsec and it did everything else on its own, and on 
> the other end I was able to decrypt
> it with my private key (so I assume that it got the public key out and 
> did things correctly).
> However, there is a problem with this.
> Since I am going to be using the "clients" public key/cert, I'll have to 
> make the pkcs12 file without a private key.
> This appears to be do-able with openssl (though what I'm doing now could 
> be wrong).
> The command I use to get the pkcs12 file from a pem format cert is:
> openssl pkcs12 -export -in PubCertFile.pem -nokeys -out myTempCert.p12
> but when I load the result of this command into xmlsec, I get this error:
> func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=211:obj=unknown:subj=pKey 
> != NULL:error=100:assertion:
> func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=702:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec 
> library function failed:
> func=xmlSecOpenSSLAppPkcs12Load:file=app.c:line=574:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec 
> library function failed:filename=/myKeyDir/myTempCert.p12;errno=2
> It looks like xmlsec is expecting a private key with the file, but I 
> can't have it due to the nature of security.
> Is there a way to tell xmlsec to just use the public key that's inside 
> the pkcs12 file? or am I going about this wrong?
> Thanks again,
> Brian
> *Aleksey Sanin <aleksey at aleksey.com>*
> Sent by: xmlsec-bounces at aleksey.com
> 06/17/2008 03:17 PM
> To
> 	Brian.Myers at zootweb.com
> cc
> 	xmlsec at aleksey.com
> Subject
> 	Re: [xmlsec] wsse tokens and encryption
>  > Do I need to manually put the cert into the key?
> Yes! You must associate the cert with the key. The simplest
> way to do this is to put your key and certificate(s) into
> pkcs12 file and then load the file "at once". It is possible
> to do it manually but you will need to manipulate the
> key data objects yourself.
> Aleksey
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list