[xmlsec] How to ignore KeyInfo/X509Data in response

[Aleksey Sanin]

If you set the key in xmldsigctx then it will never get there anyway.

Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples
in the xmlsec1 command line tool source code)

Aleksey

On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
> Thanks Aleksey quick response. I will try it.
> I have another question: how to disable certificate validation in xmlsec?
> 
> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
> 
>> If you know the public key in advance then you can set it in xmlDsigCtx
>>
>> Aleksey
>>
>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>> Hi All,
>>>
>>> We are using XMLSec to handle XML signature and encryption in SAML 1.0
>>> and 2.0 protocols. We are pre-configed the configuration data such as
>>> IDP certificate using metadata. So even the response include
>>> "KeyInfo/X509Data", we will ignore it then using local  pre-config
>>> certificate to verify it and we assume SP totally trust this
>>> certificate.  So also we won't use CA certificate to verify  the
>>> pre-config certificate's legitimacy.
>>>
>>> I dig into code then find:
>>>
>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>     /* todo: throw an error if key is set and node != NULL? */
>>>     if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr
>>> != NULL)
>>>                         && (dsigCtx->keyInfoReadCtx.keysMngr->getKey !=
>>> NULL)) {
>>>         dsigCtx->signKey =
>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>> &(dsigCtx->keyInfoReadCtx));
>>>     }
>>>
>>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>> dsigCtx->signKey? Is it private key from IDP? (we never can get private
>>> key from IDP). How can I meet this requirement by xmlsec?
>>>
>>>
>>> Thanks,
>>>
>>> Jeffrey
>>>
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>