[xmlsec] Loading publickeys from KeyInfo/X509Data

Benjamin Dauvergne bdauvergne at entrouvert.com
Wed Feb 10 08:48:55 PST 2010 

Hi,

We are using XMLSec inside the library Lasso
(http://lasso.entrouvert.org) to handle XML signature and encryption in
SAML 1.0 and 2.0 protocols. I recently changed our ad-hoc (and wrong ;)
) code for reading KeyInfo nodes for using xmlSecKeyInfoNodeRead in 
order to support all the KeyInfo content out there (RSAKeyValue and all)
correctly.

My problem is that if we disable certificate validation (as SAML advice 
us to do when consuming service metadatas) with
XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS then the public key of
the certificate is not loaded only the certificate is attached to the
xmlSecKey structure. I do not think that this is the behaviour expected.
I tried setting certsVerificationDepth to 0, in order to at least accept
self-signed certificate (which would be a beginning) but I discovered
this flag is of no-use since it is not propagated to backends (here we
use OpenSSL) verification context.

So for the moment I'm forced to load the key by hand but it adds a
strong coupling between our library and OpenSSL (that we expected xmlsec
could hide). Here is the code for fixing badly loaded public keys:

	xmlSecErrorsDefaultCallbackEnableOutput(FALSE);
	rc = xmlSecKeyInfoNodeRead(key_info, key, &ctx);
	xmlSecErrorsDefaultCallbackEnableOutput(TRUE);
	xmlSecKeyInfoCtxFinalize(&ctx);

	if (rc == 0) {
		xmlSecKeyDataPtr cert_data;

		cert_data = xmlSecKeyGetData(key, xmlSecOpenSSLKeyDataX509Id);

		if (cert_data) {
			cert = xmlSecOpenSSLKeyDataX509GetCert(cert_data, 0);
			if (cert) {
				xmlSecKeyDataPtr cert_key;

				cert_key = xmlSecOpenSSLX509CertGetKey(cert);
				rc = xmlSecKeySetValue(key, cert_key);
				if (rc < 0) {
					xmlSecKeyDataDestroy(cert_key);
					goto next;
				}
			}
		}
	}

The full code of the function is at:
http://perso.entrouvert.org/~bdauvergne/git/cgit.cgi?url=lasso-perso/tree/lasso/xml/tools.c#n2003

I'm thinking of making patch to xmlsec to load the key anyway when 
validation is disabled, and to support certsVerificationDepth for 
OpenSSL. What do you think of this program ?

More information about the xmlsec mailing list