[xmlsec] Signing a document with an X509 certificate doesn't populate the X509Data node
Aleksey Sanin
aleksey at aleksey.com
Wed Feb 23 11:57:58 PST 2011
Thanks for update. If you have a second, could you please try to run
openssl pkcs12 command on Mac
to see the content of the usercert.p12 file?
Aleksey
On 2/23/11 11:54 AM, Nigel Ramsay wrote:
> Hi Aleksey
>
> As I suggested, I tried it on Ubuntu - and it just worked.
>
> It must have been a "mac thing".
>
> I've now gone a repeated the exact same steps on both Ubuntu 10.4 and
> OSX 10.6 with differing results - the Ubuntu version produced the
> required output, while the Mac version did not.
>
> For those who are interested, these are the simple steps I followed:
>
> *Mac*
>
> port install xmlsec
> wget
> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
> unzip keysncerts.zip
> wget
> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
> xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
> keysncerts/cacert.pem --pwd hello doc-x509.xml
>
> *Ubuntu*
>
> apt-get install xmlsec1
> wget
> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
> unzip keysncerts.zip
> wget
> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
> xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
> keysncerts/cacert.pem --pwd hello doc-x509.xml
>
> So anyway - thanks Aleksey for a very handy tool. There's nothing else
> out there like it. Certainly nothing in "Ruby land" where we do most
> of our work.
>
> Cheers
>
> Nigel
>
>
>
>
> On Thu, Feb 24, 2011 at 8:33 AM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> Make sure that you actually have *both* private key and
> certificate in the usercert.p12
>
> Aleksey
>
>
> On 2/23/11 11:24 AM, Nigel Ramsay wrote:
>> Hi
>>
>> We are trying to sign an XMl document with an X509 certificate,
>> but any having problems getting the X509Data node populated.
>>
>> We are following Philippe Camacho's tutorial here:
>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
>> <http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7>
>>
>> The command that we use is copied from the tutorial, and we are
>> using the keysncerts.zip file that contains the appropriate keys
>> and certificates.
>>
>> The command (using v 1.2.16 on Mac OSX 10.6) is:
>> xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem cacert.pem
>> --pwd hello doc-x509.xml
>>
>> The contents of the doc-x509.xml is (the document we are trying
>> to sign):
>> <References>
>> <Book>
>> <Author>
>> <FirstName>Bruce</FirstName>
>> <LastName>Schneier</LastName>
>> </Author>
>> <Title>Applied Cryptography</Title>
>> </Book>
>> <Web>
>> <Title>XMLSec</Title>
>> <Url>http://www.aleksey.com/xmlsec/</Url>
>> </Web>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod Algorithm=
>> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>> <SignatureMethod Algorithm=
>> "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="">
>> <Transforms>
>> <Transform Algorithm=
>> "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>> </Transforms>
>> <DigestMethod Algorithm=
>> "http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue></DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue />
>> <KeyInfo>
>> <X509Data >
>> <X509SubjectName/>
>> <X509IssuerSerial/>
>> <X509Certificate/>
>> </X509Data>
>> <KeyValue />
>> </KeyInfo>
>> </Signature>
>> </References>
>>
>> We get this output from running the command:
>>
>> <?xml version="1.0"?>
>> <References>
>> <Book>
>> <Author>
>> <FirstName>Bruce</FirstName>
>> <LastName>Schneier</LastName>
>> </Author>
>> <Title>Applied Cryptography</Title>
>> </Book>
>> <Web>
>> <Title>XMLSec</Title>
>> <Url>http://www.aleksey.com/xmlsec/</Url>
>> </Web>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>> <SignatureMethod
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="">
>> <Transforms>
>> <Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
>> lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
>> twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
>> <KeyInfo>
>> <X509Data>
>> </X509Data>
>> <KeyValue>
>> <RSAKeyValue>
>> <Modulus>
>> vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
>> aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
>> GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
>> </Modulus>
>> <Exponent>
>> AQAB
>> </Exponent>
>> </RSAKeyValue>
>> </KeyValue>
>> </KeyInfo>
>> </Signature>
>> </References>
>>
>> As you can see, the X509Data node is blank.
>>
>> We have tried including the --print-xml-debug option, and this
>> shows a number of fields, including:
>>
>> <X509Data>
>> <KeyCertificate>
>> <SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
>> Smith/emailAddress=jsmith at hello.com
>> <mailto:jsmith at hello.com></SubjectName>
>> <IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
>> Camacho/emailAddress=lostilos at free.fr
>> <mailto:lostilos at free.fr></IssuerName>
>> <SerialNumber>11E</SerialNumber>
>> </KeyCertificate>
>> </X509Data>
>>
>> We have also tried these commands with our own generated keys,
>> and different XML files too. We get the same result each time.
>>
>> I have searched this mailing list, and note that Braja Biswal had
>> a similar problem:
>> http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
>>
>> We would really appreciate any help, as we seem to be out of
>> ideas. Our last idea is to try the same approach using Ubuntu -
>> perhaps this is "a Mac thing". We used MacPorts to install Xmlsec.
>>
>> Thanks
>>
>> Nigel
>>
>>
>>
>> --
>> Nigel Ramsay
>> Principal Consultant
>> Able Technology
>>
>> 04 910 3100
>> 021 323 990
>> http://www.abletech.co.nz
>> http://nigel.ramsay.org.nz
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> --
> Nigel Ramsay
> Principal Consultant
> Able Technology
>
> 04 910 3100
> 021 323 990
> http://www.abletech.co.nz
> http://nigel.ramsay.org.nz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110223/ebdd6117/attachment-0001.html>
More information about the xmlsec
mailing list