[xmlsec] X509SubjectName use case

Benjamin Dauvergne bdauvergne at entrouvert.com
Wed May 18 16:15:55 PDT 2011


I have a question about a use case where I do not see how to use 
libxmlsec:
 - shibboleth (an implementation of SAML2) is using metadata file to 
   declare trusted cryptographic keys between services; a KeyInfo can be 
   used to designate the susbject name of the certificate which shoud be 
   used to sign some XML content, each message is thus accompanied by 
   a KeyInfo with the full certificate included,
 - at signature validation time, two operations must be made:
    - check that the signature is made with a certificate which belong 
      to a trusted CA; I alreadt know how to do this by stuffing sucha  
      CA in a xmlSecKeysMngr which is passed to xmlSecDSigCtx
    - check that the certificate has the required subject name,

I'm looking into implementing this use case with libxmlsec especially 
the last operation.

In regards I would like to know how to make a kind of xmlSecKey that 
I can pass to the xmlSecDSigCtx structure so that it only checks the 
name of the certificate but does not force a certain key and let the key 
store doing its job of validating the certificate.

Currently my impression is that I can only do this by hand or by 
stuffing the certificate included in a signature into a xmlSecKeysMngr 
and then to reread the metadata file so that the 
X509Data/X509SubjectName can be resolved, which in my own view is 
a complete reversal of the logical workflow to use in which resolution 
of the subject-name would be done at signature validation code (i.e.  
inside xmlSecDSigCtxVerify).


More information about the xmlsec mailing list