[xmlsec] Re: question about dsigCtx->status

Rolando Abarca funkaster at gmail.com
Fri Jun 20 10:11:10 PDT 2008

Ok, I got a little more info on the error:

 From the other side (the place we're I'm sending the signed XML) the  
response is:

   The public key does not correspond to the certificate

This is how I'm signing the document (this is inside a ruby extension):

VALUE xmlsec_sign(VALUE self, VALUE cert_file, VALUE key_file, VALUE  
node_uri) {
     xmlNodePtr signNode = NULL;
     xmlNodePtr refNode = NULL;
     xmlNodePtr keyInfoNode = NULL;
     xmlSecDSigCtxPtr dsigCtx = NULL;
     ruby_xml_document_t *rxd;
     char *filename;
     int res = -1;

     /* get libxml node from ruby VALUE */
     Check_Type(key_file, T_STRING);
     Data_Get_Struct(self, ruby_xml_document_t, rxd);
     /* create signature template */
     signNode = (xmlNodePtr)xmlSecTmplSignatureCreate(rxd->doc,  
xmlSecTransformInclC14NId, xmlSecTransformRsaSha1Id, NULL);
     if (signNode == NULL) {
         rb_raise(rb_eXMLError, "Failed to create signature template");
     xmlAddChild(xmlDocGetRootElement(rxd->doc), signNode);
     /* add reference */
     refNode = (xmlNodePtr)xmlSecTmplSignatureAddReference(signNode,  
xmlSecTransformSha1Id, NULL, STR2CSTR(node_uri), NULL);
     if (refNode == NULL) {
         rb_raise(rb_eXMLError, "Failed to add reference to signature  
     /* add key info */
     keyInfoNode =  
(xmlNodePtr)xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
     if (keyInfoNode == NULL) {
         rb_raise(rb_eXMLError, "Failed to add key info");
     if ((xmlNodePtr)xmlSecTmplKeyInfoAddKeyValue(keyInfoNode) ==  
         rb_raise(rb_eXMLError, "Failed to add key value");
     if ((xmlNodePtr)xmlSecTmplKeyInfoAddX509Data(keyInfoNode) ==  
         rb_raise(rb_eXMLError, "Failed to add X509 Data");

     /* create sign context and sign the document */
     dsigCtx = xmlSecDSigCtxCreate(NULL);
     if(dsigCtx == NULL) {
         rb_raise(rb_eXMLError, "Failed to create signature context");
     filename = STR2CSTR(key_file);
     dsigCtx->signKey = xmlSecCryptoAppKeyLoad(filename,  
xmlSecKeyDataFormatPem, NULL, NULL, NULL);
     if(dsigCtx->signKey == NULL) {
         rb_raise(rb_eXMLError, "Failed to load private key from %s",  
     /* add the X509 cert info */
     filename = STR2CSTR(cert_file);
     if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, filename,  
xmlSecKeyDataFormatPem) < 0) {
         rb_raise(rb_eXMLError, "Failed to load certificate from %s",  
     /* sign */
     if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
         rb_raise(rb_eXMLError, "Signature failed");
     /* dump to stdout */
     return Qnil;

As you can see, I'm creating a template, adding the KeyInfo, Value and  
X509 data. The key_file and cert_file are both the same (it's a PEM  
Any ideas on what could be the problem?

thanks a lot for any hint.

On Jun 20, 2008, at 12:26 PM, Rolando Abarca wrote:

> I'm trying to verify a XML I signed (using xmlsec), but I keep  
> getting xmlSecDSigStatusUnknown as the status... what does it means?
> Currently, the XML is of the kind:
> <root>
> <A>
>  <B>
>  <Sing for B>
>  <B>
>  <Sign for B>
> </A>
> <Sign for A>
> </root>
> What I'm trying to check first, is the sign for A, but it fails...  
> Any hints on where I should start looking?
> Regarding on how the tree is being constructed:
> Generate a B sub-tree, save it to a file. Load it and sign it.
> Generate an A sub-tree, add all B nodes, save it to a file. Load it  
> and sign it.
> Generate the root node, add the A node. Save the file.
> Note: this save-load-sign routine is so far the only way I've found  
> to preserve the whitespace (is there any other way?)
> regards
> -- 
> Rolando Abarca M.

Rolando Abarca M.

More information about the xmlsec mailing list