[xmlsec] how to load non-standard <KeyInfo/>

wz qiang weizhongqiang at gmail.com
Fri Jul 18 04:43:15 PDT 2008

hello Aleksey,
It seems a little bit complicated if use your method, because it seems I
need to implement the whole certificate chain checking as well. So for now I
just put this method into my TODO list, and alternatively use some hack
method by inserting <X509Data/> into <KeyInfo/> and delete the node after
verification, it works :)

Thanks a lot,

On 7/18/08, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Correct. But I would use DataRetrieval as an example.
> Aleksey
> wz qiang wrote:
>> hello Aleksey,
>> Thank you for your kind reply.
>> Just to make sure that I understand you correctly. You meant that I need
>> to implement some special key data just like the
>> xmlSecOpenSSLKeyDataX509Klass in src/openssl/x509.c, and the
>> xmlSecKeyDataRetrieval method, finally I need to register it when by using
>> "xmlSecKeyDataIdsRegister"?
>>  Thanks a lot,
>> Weizhong
>>  On 7/17/08, *Aleksey Sanin* <aleksey at aleksey.com <mailto:
>> aleksey at aleksey.com>> wrote:
>>    The "right" way to do it is to create "key data" object for
>>    reading/writing wsse:SecurityTokenReference node. Look at
>>    xmlsec/src/keyinfo.c file and search for xmlSecKeyDataRetrieval
>>    for an example. Note that you don't need to modify xmlsec
>>    source code. You can create your custom "key data" object
>>    and then register in xmlsec from your application.
>>    Aleksey
>>    wz qiang wrote:
>>        hi,
>>        I am using the following node for <KeyInfo/> under <Signature/>
>>        <KeyInfo><wsse:SecurityTokenReference><wsse:Reference
>>        URI="#binarytoken"/></wsse:SecurityTokenReference></KeyInfo>
>>         When I verify it, of cause not like <X509Data/>, the above
>>        <KeyInfo/> can not be loaded by xmlsec library automatically. So
>>        how can I load it?
>>        I try to parser the pubkey out from the binarytoken by using:
>>        xmlSecOpenSSLAppKeyFromCertLoadBIO(bio, certformat);
>>        and then load the key into keymanager:
>>        xmlSecCryptoAppDefaultKeysMngrAdoptKey(keysmanager, key);
>>         I also loaded the trusted ca certificate by using:
>>        xmlSecCryptoAppKeysMngrCertLoad(...);
>>         But it seem is the loaded trusted certificate does not effect
>>        at all. Becase even if I comment the line
>>        "xmlSecCryptoAppKeysMngrCertLoad", the verification also works.
>>         SO I think the trust chain has not been checked.
>>         Could you tell me how can I load the non-standard <KeyInfo/>,
>>        and make the trusted chain checkin work as well.
>>         Thanks in advance.
>>         Weizhong Qiang
>>  ------------------------------------------------------------------------
>>        _______________________________________________
>>        xmlsec mailing list
>>        xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080718/ed407dea/attachment-0002.htm

More information about the xmlsec mailing list