[xmlsec] Signing a document with an X509 certificate doesn't populate the X509Data node
Nigel Ramsay
nigel.ramsay at abletech.co.nz
Wed Feb 23 12:43:29 PST 2011
Sure...
Not entirely sure on the exact syntax to use. This is what we got:
openssl pkcs12 -info -in keysncerts/usercert.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7 82 8C
subject=/C=CL/ST=RM/O=littlecryptographer/CN=John Smith/emailAddress=
jsmith at hello.com
issuer=/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/emailAddress=lostilos at free.fr
-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwgYcxCzAJBgNVBAYTAkNM
MQswCQYDVQQIEwJSTTERMA8GA1UEBxMIU2FudGlhZ28xHDAaBgNVBAoTE2xpdHRs
ZWNyeXB0b2dyYXBoZXIxGTAXBgNVBAMTEFBoaWxpcHBlIENhbWFjaG8xHzAdBgkq
hkiG9w0BCQEWEGxvc3RpbG9zQGZyZWUuZnIwHhcNMDgwMTE5MTI1MjM3WhcNMDkw
MTE4MTI1MjM3WjBuMQswCQYDVQQGEwJDTDELMAkGA1UECBMCUk0xHDAaBgNVBAoT
E2xpdHRsZWNyeXB0b2dyYXBoZXIxEzARBgNVBAMTCkpvaG4gU21pdGgxHzAdBgkq
hkiG9w0BCQEWEGpzbWl0aEBoZWxsby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALwShIDVij20XFC8V3Bs8Xn6b3uRa8rnPgkMCc92LoxNc/IzCriw9gu9
NGps/bwanWgZbK5va46Y27axFhHo2uNk9ZE2lj0UQegFdBGlEIOt9hlpHFSqTnmX
AKraSHd2yxhVe+JqGIrtyTQluWVNPOCKXd8zubFgWqlUMXMrn8JzAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQ08GE4h2jHJZOGkDUyQE9EEPMqlDAfBgNVHSME
GDAWgBT+y1YLKOsq6cec6uU61UxVhNvUajANBgkqhkiG9w0BAQUFAAOBgQAVZMDa
KVhvX2qOMlcjX7i6DESF7SDyEbjfPk+bYIDm+al45lmzixkFeYUUQcFJMG0s152A
kFd/fTVMfz/j37OQYxUYwwZQlMW3dVnC+CvjtMlSrReeHThhQFQpO16i21aDitON
1TFsvO8T+21YGB4kne44vry6O4JJPy8EZBsfbw==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7 82 8C
Key Attributes: <No Attributes>
It then prompts for a password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
I entered "password" and got this...
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,058FCED319755EBF
rlRk7UJFjOmpFIQsb0D4g7nHKuKy5spYUWfOEjM9wBNR97/4lW7nNmNsEGWpg8ZB
PbPY5WDxF2XOO9FLnBWD7SZvBOD7aaKiPX0bfiwutvVotlyvYDgkBJJT1H8wwQbd
7/yM3pqowc22JpLBiCO2Bs7wHz+xHGZvLW7H6J1VZYvqqFdGoN6jbcyLadZ3U+rn
HeqsKRpSTqPT7wPr7SQA0SjcV+QW1TtKgozoYdBqXh3YHGzGwpYA1pGZogZZSSE8
6rOPpV0k/3jJE19FI2A39kDZLlDnOfcPu44Qi7e7J+xmN7h+waceXcIqhZY/QDVq
slfX41/7BjQfxQPeXIJ6gNt3GbP0mJF42Rra6yy2oN3xx7zIBRALmplZIWvI2HTJ
m6Lb6o1/Ag2C8vGKgxM1dL2EUXFeZVEl/clPWZHJ49arPgAt7UpgAFM1GFdANNkB
O9O87LPJxE+W7hR7otpkr0UVHUOeOBaFd70POTtPf4efdXcAt5+QCRj7EoyRRbIk
xueW3WUXibAYiDcAyoLRlPj+OaopbdAy99efCM4o0oIHEI9tWN7UGdCVV/8+LZIs
CEkflcUtSQIe0q8eC+RhfDvjL9MM32znz2vSvqa3s9jhXfedDzAKESv808NQy+mW
LkSumr81qs5pSeT7MU9iqYylyBrRT1rCVHq7ahaJ8Xg5AiwP06bkLuz7GJ6zmcvl
Qw7PByfHfOE3dpyb2KBg9WwMycud+y+gNKFBQVVCqlEMuU4zguXkpReHWld9F1VX
/3W3Ts/bBOWJ+c1O0/RGVgb8etWlgz0fme+urXq7zZPjXWVJehrAwA==
-----END RSA PRIVATE KEY-----
On Thu, Feb 24, 2011 at 8:57 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Thanks for update. If you have a second, could you please try to run
> openssl pkcs12 command on Mac
> to see the content of the usercert.p12 file?
>
> Aleksey
>
>
> On 2/23/11 11:54 AM, Nigel Ramsay wrote:
>
> Hi Aleksey
>
> As I suggested, I tried it on Ubuntu - and it just worked.
>
> It must have been a "mac thing".
>
> I've now gone a repeated the exact same steps on both Ubuntu 10.4 and OSX
> 10.6 with differing results - the Ubuntu version produced the required
> output, while the Mac version did not.
>
> For those who are interested, these are the simple steps I followed:
>
> *Mac*
>
> port install xmlsec
> wget http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
> unzip keysncerts.zip
> wget http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
> xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
> keysncerts/cacert.pem --pwd hello doc-x509.xml
>
> *Ubuntu*
>
> apt-get install xmlsec1
> wget
> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
> unzip keysncerts.zip
> wget http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
> xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
> keysncerts/cacert.pem --pwd hello doc-x509.xml
>
> So anyway - thanks Aleksey for a very handy tool. There's nothing else
> out there like it. Certainly nothing in "Ruby land" where we do most of our
> work.
>
> Cheers
>
> Nigel
>
>
>
>
> On Thu, Feb 24, 2011 at 8:33 AM, Aleksey Sanin <aleksey at aleksey.com>wrote:
>
>> Make sure that you actually have *both* private key and certificate in
>> the usercert.p12
>>
>> Aleksey
>>
>>
>> On 2/23/11 11:24 AM, Nigel Ramsay wrote:
>>
>> Hi
>>
>> We are trying to sign an XMl document with an X509 certificate, but any
>> having problems getting the X509Data node populated.
>>
>> We are following Philippe Camacho's tutorial here:
>> http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
>>
>> The command that we use is copied from the tutorial, and we are using
>> the keysncerts.zip file that contains the appropriate keys and
>> certificates.
>>
>> The command (using v 1.2.16 on Mac OSX 10.6) is:
>> xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem cacert.pem --pwd hello
>> doc-x509.xml
>>
>> The contents of the doc-x509.xml is (the document we are trying to
>> sign):
>> <References>
>> <Book>
>> <Author>
>> <FirstName>Bruce</FirstName>
>> <LastName>Schneier</LastName>
>> </Author>
>> <Title>Applied Cryptography</Title>
>> </Book>
>> <Web>
>> <Title>XMLSec</Title>
>> <Url>http://www.aleksey.com/xmlsec/</Url>
>> </Web>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod Algorithm=
>> "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>> <SignatureMethod Algorithm=
>> "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="">
>> <Transforms>
>> <Transform Algorithm=
>> "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>> </Transforms>
>> <DigestMethod Algorithm=
>> "http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue></DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue />
>> <KeyInfo>
>> <X509Data >
>> <X509SubjectName/>
>> <X509IssuerSerial/>
>> <X509Certificate/>
>> </X509Data>
>> <KeyValue />
>> </KeyInfo>
>> </Signature>
>> </References>
>>
>> We get this output from running the command:
>>
>> <?xml version="1.0"?>
>> <References>
>> <Book>
>> <Author>
>> <FirstName>Bruce</FirstName>
>> <LastName>Schneier</LastName>
>> </Author>
>> <Title>Applied Cryptography</Title>
>> </Book>
>> <Web>
>> <Title>XMLSec</Title>
>> <Url>http://www.aleksey.com/xmlsec/</Url>
>> </Web>
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod Algorithm="
>> http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>> <SignatureMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="">
>> <Transforms>
>> <Transform Algorithm="
>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> </Transforms>
>> <DigestMethod Algorithm="
>> http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
>> </Reference>
>> </SignedInfo>
>>
>> <SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
>> lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
>> twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
>>
>> <KeyInfo>
>> <X509Data>
>>
>>
>>
>> </X509Data>
>> <KeyValue>
>> <RSAKeyValue>
>> <Modulus>
>> vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
>> aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
>> GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
>> </Modulus>
>> <Exponent>
>> AQAB
>> </Exponent>
>> </RSAKeyValue>
>> </KeyValue>
>> </KeyInfo>
>>
>> </Signature>
>> </References>
>>
>> As you can see, the X509Data node is blank.
>>
>> We have tried including the --print-xml-debug option, and this shows a
>> number of fields, including:
>>
>> <X509Data>
>> <KeyCertificate>
>> <SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John Smith/emailAddress=
>> jsmith at hello.com</SubjectName>
>> <IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
>> Camacho/emailAddress=lostilos at free.fr</IssuerName>
>> <SerialNumber>11E</SerialNumber>
>> </KeyCertificate>
>> </X509Data>
>>
>> We have also tried these commands with our own generated keys, and
>> different XML files too. We get the same result each time.
>>
>> I have searched this mailing list, and note that Braja Biswal had a
>> similar problem:
>> http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
>>
>> We would really appreciate any help, as we seem to be out of ideas. Our
>> last idea is to try the same approach using Ubuntu - perhaps this is "a Mac
>> thing". We used MacPorts to install Xmlsec.
>>
>> Thanks
>>
>> Nigel
>>
>>
>>
>> --
>> Nigel Ramsay
>> Principal Consultant
>> Able Technology
>>
>> 04 910 3100
>> 021 323 990
>> http://www.abletech.co.nz
>> http://nigel.ramsay.org.nz
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing listxmlsec at aleksey.comhttp://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>
>
> --
> Nigel Ramsay
> Principal Consultant
> Able Technology
>
> 04 910 3100
> 021 323 990
> http://www.abletech.co.nz
> http://nigel.ramsay.org.nz
>
>
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20110224/986d7127/attachment-0001.html>
More information about the xmlsec
mailing list