[xmlsec] X509SubjectName use case
aleksey at aleksey.com
Wed May 18 20:01:26 PDT 2011
After the verification, the signature context contains all the information
about the process including a pointer to the key (signKey) which in its
turn has all the data about the key including the key's cert (dataList).
On 5/18/11 4:15 PM, Benjamin Dauvergne wrote:
> I have a question about a use case where I do not see how to use
> - shibboleth (an implementation of SAML2) is using metadata file to
> declare trusted cryptographic keys between services; a KeyInfo can be
> used to designate the susbject name of the certificate which shoud be
> used to sign some XML content, each message is thus accompanied by
> a KeyInfo with the full certificate included,
> - at signature validation time, two operations must be made:
> - check that the signature is made with a certificate which belong
> to a trusted CA; I alreadt know how to do this by stuffing sucha
> CA in a xmlSecKeysMngr which is passed to xmlSecDSigCtx
> - check that the certificate has the required subject name,
> I'm looking into implementing this use case with libxmlsec especially
> the last operation.
> In regards I would like to know how to make a kind of xmlSecKey that
> I can pass to the xmlSecDSigCtx structure so that it only checks the
> name of the certificate but does not force a certain key and let the key
> store doing its job of validating the certificate.
> Currently my impression is that I can only do this by hand or by
> stuffing the certificate included in a signature into a xmlSecKeysMngr
> and then to reread the metadata file so that the
> X509Data/X509SubjectName can be resolved, which in my own view is
> a complete reversal of the logical workflow to use in which resolution
> of the subject-name would be done at signature validation code (i.e.
> inside xmlSecDSigCtxVerify).
> xmlsec mailing list
> xmlsec at aleksey.com
More information about the xmlsec