[xmlsec] How to ignore KeyInfo/X509Data in response
Jeffrey Jin (jefjin)
jefjin at cisco.com
Tue May 21 21:14:21 PDT 2013
Thanks Aleksey quick response. I will try it.
I have another question: how to disable certificate validation in xmlsec?
On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>If you know the public key in advance then you can set it in xmlDsigCtx
>
>Aleksey
>
>On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>> Hi All,
>>
>> We are using XMLSec to handle XML signature and encryption in SAML 1.0
>>and 2.0 protocols. We are pre-configed the configuration data such as
>>IDP certificate using metadata. So even the response include
>>"KeyInfo/X509Data", we will ignore it then using local pre-config
>>certificate to verify it and we assume SP totally trust this
>>certificate. So also we won't use CA certificate to verify the
>>pre-config certificate's legitimacy.
>>
>> I dig into code then find:
>>
>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>> /* todo: throw an error if key is set and node != NULL? */
>> if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr
>>!= NULL)
>> && (dsigCtx->keyInfoReadCtx.keysMngr->getKey !=
>>NULL)) {
>> dsigCtx->signKey =
>>(dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>&(dsigCtx->keyInfoReadCtx));
>> }
>>
>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>dsigCtx->signKey? Is it private key from IDP? (we never can get private
>>key from IDP). How can I meet this requirement by xmlsec?
>>
>>
>> Thanks,
>>
>> Jeffrey
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
More information about the xmlsec
mailing list