[xmlsec] How to ignore KeyInfo/X509Data in response

Jeffrey Jin (jefjin) jefjin at cisco.com
Tue May 21 21:14:21 PDT 2013

Thanks Aleksey quick response. I will try it.
I have another question: how to disable certificate validation in xmlsec?

On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:

>If you know the public key in advance then you can set it in xmlDsigCtx
>On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>> Hi All,
>> We are using XMLSec to handle XML signature and encryption in SAML 1.0
>>and 2.0 protocols. We are pre-configed the configuration data such as
>>IDP certificate using metadata. So even the response include
>>"KeyInfo/X509Data", we will ignore it then using local  pre-config
>>certificate to verify it and we assume SP totally trust this
>>certificate.  So also we won't use CA certificate to verify  the
>>pre-config certificate's legitimacy.
>> I dig into code then find:
>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>     /* todo: throw an error if key is set and node != NULL? */
>>     if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr
>>!= NULL)
>>                         && (dsigCtx->keyInfoReadCtx.keysMngr->getKey !=
>>NULL)) {
>>         dsigCtx->signKey =
>>     }
>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>dsigCtx->signKey? Is it private key from IDP? (we never can get private
>>key from IDP). How can I meet this requirement by xmlsec?
>> Thanks,
>> Jeffrey
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list