[xmlsec] Signing a document with an X509 certificate doesn't populate the X509Data node
Nigel Ramsay
nigel.ramsay at abletech.co.nz
Wed Feb 23 11:24:45 PST 2011
Hi
We are trying to sign an XMl document with an X509 certificate, but any
having problems getting the X509Data node populated.
We are following Philippe Camacho's tutorial here:
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
The command that we use is copied from the tutorial, and we are using the
keysncerts.zip file that contains the appropriate keys and certificates.
The command (using v 1.2.16 on Mac OSX 10.6) is:
xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem cacert.pem --pwd hello
doc-x509.xml
The contents of the doc-x509.xml is (the document we are trying to sign):
<References>
<Book>
<Author>
<FirstName>Bruce</FirstName>
<LastName>Schneier</LastName>
</Author>
<Title>Applied Cryptography</Title>
</Book>
<Web>
<Title>XMLSec</Title>
<Url>http://www.aleksey.com/xmlsec/</Url>
</Web>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data >
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue />
</KeyInfo>
</Signature>
</References>
We get this output from running the command:
<?xml version="1.0"?>
<References>
<Book>
<Author>
<FirstName>Bruce</FirstName>
<LastName>Schneier</LastName>
</Author>
<Title>Applied Cryptography</Title>
</Book>
<Web>
<Title>XMLSec</Title>
<Url>http://www.aleksey.com/xmlsec/</Url>
</Web>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
<KeyInfo>
<X509Data>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>
vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</References>
As you can see, the X509Data node is blank.
We have tried including the --print-xml-debug option, and this shows a
number of fields, including:
<X509Data>
<KeyCertificate>
<SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John Smith/emailAddress=
jsmith at hello.com</SubjectName>
<IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=lostilos at free.fr</IssuerName>
<SerialNumber>11E</SerialNumber>
</KeyCertificate>
</X509Data>
We have also tried these commands with our own generated keys, and different
XML files too. We get the same result each time.
I have searched this mailing list, and note that Braja Biswal had a similar
problem:
http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
We would really appreciate any help, as we seem to be out of ideas. Our last
idea is to try the same approach using Ubuntu - perhaps this is "a Mac
thing". We used MacPorts to install Xmlsec.
Thanks
Nigel
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110224/b2276339/attachment-0001.html>
More information about the xmlsec
mailing list