[xmlsec] Unable to find key

Kurt Roeckx kurt at roeckx.be
Sun Nov 25 11:24:28 PST 2012


On Sun, Nov 25, 2012 at 09:36:31AM -0800, Aleksey Sanin wrote:
> Simplest way would probably be to extract the public key from
> the certificate using openssl command line tools and then load
> it from a PEM file into xmlsec.

So I did openssl x509 with "-noout -pubkey" and stored in
a file.  I loaded that key with xmlSecCryptoAppKeyLoad(),
generated the fingerprint for the cert file and set that
with xmlSecKeySetName().

However the xmlSecDSigCtxVerify() call now gives me:
func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

And I'm not sure if I'm doing the correct thing or that it really
failed to verify.

If I understand the message correct, the DigestValue was probably
correct, it's just that the signature didn't verify?  From what I
understand I should be able to verify this with:
openssl dgst -sha256 -verify pubkey.pem -signature sigfile datafile

I already created the pubkey.pem file as before.

I took the SignatureValue and ran "base64 -d" on
that and stored it in the sigfile.  I created what I think
is the canonical version of the xml file, and when I run
dgst I got: "Verification Failure".

Is that the right way to check it using openssl?

I'm starting to get convinced that the file I'm getting
isn't properly signed, or not with the key the claim it's
signed with.


Kurt



More information about the xmlsec mailing list