[xmlsec] X509SubjectName use case

Aleksey Sanin aleksey at aleksey.com
Wed May 18 20:01:26 PDT 2011

After the verification, the signature context contains all the information
about the process including a pointer to the key (signKey) which in its
turn has all the data about the key including the key's cert (dataList).


On 5/18/11 4:15 PM, Benjamin Dauvergne wrote:
> I have a question about a use case where I do not see how to use
> libxmlsec:
>   - shibboleth (an implementation of SAML2) is using metadata file to
>     declare trusted cryptographic keys between services; a KeyInfo can be
>     used to designate the susbject name of the certificate which shoud be
>     used to sign some XML content, each message is thus accompanied by
>     a KeyInfo with the full certificate included,
>   - at signature validation time, two operations must be made:
>      - check that the signature is made with a certificate which belong
>        to a trusted CA; I alreadt know how to do this by stuffing sucha
>        CA in a xmlSecKeysMngr which is passed to xmlSecDSigCtx
>      - check that the certificate has the required subject name,
> I'm looking into implementing this use case with libxmlsec especially
> the last operation.
> In regards I would like to know how to make a kind of xmlSecKey that
> I can pass to the xmlSecDSigCtx structure so that it only checks the
> name of the certificate but does not force a certain key and let the key
> store doing its job of validating the certificate.
> Currently my impression is that I can only do this by hand or by
> stuffing the certificate included in a signature into a xmlSecKeysMngr
> and then to reread the metadata file so that the
> X509Data/X509SubjectName can be resolved, which in my own view is
> a complete reversal of the logical workflow to use in which resolution
> of the subject-name would be done at signature validation code (i.e.
> inside xmlSecDSigCtxVerify).
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list