[xmlsec] How to ignore KeyInfo/X509Data in response
Jeffrey Jin (jefjin)
jefjin at cisco.com
Tue May 21 21:02:46 PDT 2013
Hi All,
We are using XMLSec to handle XML signature and encryption in SAML 1.0 and 2.0 protocols. We are pre-configed the configuration data such as IDP certificate using metadata. So even the response include "KeyInfo/X509Data", we will ignore it then using local pre-config certificate to verify it and we assume SP totally trust this certificate. So also we won't use CA certificate to verify the pre-config certificate's legitimacy.
I dig into code then find:
/* ignore <dsig:KeyInfo /> if there is the key is already set */
/* todo: throw an error if key is set and node != NULL? */
if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr != NULL)
&& (dsigCtx->keyInfoReadCtx.keysMngr->getKey != NULL)) {
dsigCtx->signKey = (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, &(dsigCtx->keyInfoReadCtx));
}
Does it means I need to set dsigCtx->signKey? And what's meaning of dsigCtx->signKey? Is it private key from IDP? (we never can get private key from IDP). How can I meet this requirement by xmlsec?
Thanks,
Jeffrey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20130522/ed5c156a/attachment.html>
More information about the xmlsec
mailing list