[xmlsec] how can I use the public key for encryption

wz qiang weizhongqiang at gmail.com
Mon Jun 30 06:17:01 PDT 2008 

hello,
Thanks.
I user the following code to load public key from a certificate:

pubkey2 = xmlSecKeyCreate();
xmlSecCryptoAppKeyCertLoad(pubkey2, "cert.pem", xmlSecKeyDataFormatPem);
dsigCtx->signKey = pubkey2;
if (xmlSecDSigCtxVerify(dsigCtx, signature_nd) < 0) {
   xmlSecDSigCtxDestroy(dsigCtx);
   if (keys_manager) xmlSecKeysMngrDestroy(keys_manager);
   std::cerr<<"Signature verification failed (with trusted ca
path)"<<std::endl;
   return false;
 }

But I got the error:

func=xmlSecKeyMatch:file=keys.c:line=703:obj=unknown:subj=xmlSecKeyIsValid(key):error=100:assertion:
func=xmlSecOpenSSLEvpSignatureSetKey:file=signatures.c:line=263:obj=unknown:subj=xmlSecKeyCheckId(key,
ctx->keyId):error=100:assertion:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=882:obj=unknown:subj=xmlSecTransformSetKey:error=1:xmlsec
library function failed:transform=rsa-sha1
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:


How ever if I load the key from a public key file (which is convert from
certificate by using openssl command), it works well.

Some hint?

Thanks
Weizhong


On Mon, Jun 30, 2008 at 4:20 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:

>
> https://www.aleksey.com/xmlsec/api/xmlsec-openssl-app.html#XMLSECOPENSSLAPPKEYFROMCERTLOADBIO
>
> Aleksey
>
> wz qiang wrote:
>
>> hello Aleksey and Ed,
>> I use:
>> openssl x509 -inform pem -in cert.pem -pubkey -noout > publickey.pem
>>  to extract the public key from certificate, and then load the public key
>> into keymanager:
>>  key = xmlSecCryptoAppKeyLoad(publickeyfile, xmlSecKeyDataFormatPem, NULL,
>> NULL, NULL);
>> xmlSecCryptoAppDefaultKeysMngrAdoptKey(keys_mngr, key);
>>  It seems to work.
>>  My following question is, is there some api in xmlsec which I can use to
>> extract public key directly from certificate. I know in openssl there is
>> X509_get_pubkey(certfile), but the return type is EVP_PKEY, here we need
>> xmlSecKeyPtr.
>>  Thanks
>> Weizhong
>>
>>
>>  On 6/26/08, *Aleksey Sanin* <aleksey at aleksey.com <mailto:
>> aleksey at aleksey.com>> wrote:
>>
>>    Ah, I see.... I guess it is a copy/paste error for the comment :)
>>
>>    Aleksey
>>
>>
>>    Ed Shallow wrote:
>>
>>        I believe Weizhong is asking why is the "private" key being
>>        loaded  if one simply wants to encrypt.
>>
>>        Loading a public certificate  in .pem  should  be appropriate.
>>
>>        Why is private even mentioned ?
>>
>>
>>        Aleksey Sanin wrote:
>>
>>            The session key is created for you automatically if you specify
>>            that you want AES, DES, ... encryption for the data. Look at
>> the
>>            xmlsec/tests/ examples.
>>
>>
>>            Aleksey
>>
>>            wz qiang wrote:
>>
>>                hi Aleksey and others,
>>                 In encrypt3.c, there is one line for loading private key.
>>                     /* load private RSA key */
>>                   key = xmlSecCryptoAppKeyLoad(key_file,
>>                xmlSecKeyDataFormatPem, NULL, NULL, NULL);
>>                 I my understanding, normally the public key is used for
>>                encrypting the session key, and then on the other side
>>                private key is used for decrypting the session key
>>                (session key is used for encrypting the data). So my
>>                question is, how I can do like that by using xmlsec API?
>>                  Thanks in advance
>>                Weizhong Qiang
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>                _______________________________________________
>>                xmlsec mailing list
>>                xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>                http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>            _______________________________________________
>>            xmlsec mailing list
>>            xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>            http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>        _______________________________________________
>>        xmlsec mailing list
>>        xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>    _______________________________________________
>>    xmlsec mailing list
>>    xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>    http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080630/4c41a5fc/attachment-0002.htm

More information about the xmlsec mailing list