[xmlsec] How to ignore KeyInfo/X509Data in response

Jeffrey Jin (jefjin) jefjin at cisco.com
Tue May 21 21:02:46 PDT 2013

Hi All,

We are using XMLSec to handle XML signature and encryption in SAML 1.0 and 2.0 protocols. We are pre-configed the configuration data such as IDP certificate using metadata. So even the response include "KeyInfo/X509Data", we will ignore it then using local  pre-config certificate to verify it and we assume SP totally trust this certificate.  So also we won't use CA certificate to verify  the pre-config certificate's legitimacy.

I dig into code then find:

/* ignore <dsig:KeyInfo /> if there is the key is already set */
    /* todo: throw an error if key is set and node != NULL? */
    if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr != NULL)
                        && (dsigCtx->keyInfoReadCtx.keysMngr->getKey != NULL)) {
        dsigCtx->signKey = (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, &(dsigCtx->keyInfoReadCtx));

Does it means I need to set dsigCtx->signKey? And what's meaning of dsigCtx->signKey? Is it private key from IDP? (we never can get private key from IDP). How can I meet this requirement by xmlsec?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130522/ed5c156a/attachment.html>

More information about the xmlsec mailing list