[xmlsec] How to ignore KeyInfo/X509Data in response

Jeffrey Jin (jefjin) jefjin at cisco.com
Tue May 21 21:41:43 PDT 2013


Aleksey,

The cert in cert/ folder but I got the error as bellows:

[jabber at localhost xmlsec-demo]$ ./verify1 example/sample-res.xml
cert/cicert.pem 
func=xmlSecOpenSSLAppKeyLoadBIO:file=app.c:line=263:obj=unknown:subj=PEM_re
ad_bio_PrivateKey and PEM_read_bio_PUBKEY:error=4:crypto library function
failed: 
func=xmlSecOpenSSLAppKeyLoad:file=app.c:line=153:obj=unknown:subj=xmlSecOpe
nSSLAppKeyLoadBIO:error=1:xmlsec library function
failed:filename=cert/cicert.pem;errno=0
Error: failed to load public pem key from "cert/cicert.pem"

-Jeffrey



On 5/22/13 12:17 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:

>If you set the key in xmldsigctx then it will never get there anyway.
>
>Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples
>in the xmlsec1 command line tool source code)
>
>Aleksey
>
>On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote:
>> Thanks Aleksey quick response. I will try it.
>> I have another question: how to disable certificate validation in
>>xmlsec?
>> 
>> On 5/22/13 12:10 PM, "Aleksey Sanin" <aleksey at aleksey.com> wrote:
>> 
>>> If you know the public key in advance then you can set it in xmlDsigCtx
>>>
>>> Aleksey
>>>
>>> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote:
>>>> Hi All,
>>>>
>>>> We are using XMLSec to handle XML signature and encryption in SAML 1.0
>>>> and 2.0 protocols. We are pre-configed the configuration data such as
>>>> IDP certificate using metadata. So even the response include
>>>> "KeyInfo/X509Data", we will ignore it then using local  pre-config
>>>> certificate to verify it and we assume SP totally trust this
>>>> certificate.  So also we won't use CA certificate to verify  the
>>>> pre-config certificate's legitimacy.
>>>>
>>>> I dig into code then find:
>>>>
>>>> /* ignore <dsig:KeyInfo /> if there is the key is already set */
>>>>     /* todo: throw an error if key is set and node != NULL? */
>>>>     if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr
>>>> != NULL)
>>>>                         && (dsigCtx->keyInfoReadCtx.keysMngr->getKey
>>>>!=
>>>> NULL)) {
>>>>         dsigCtx->signKey =
>>>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node,
>>>> &(dsigCtx->keyInfoReadCtx));
>>>>     }
>>>>
>>>> Does it means I need to set dsigCtx->signKey? And what's meaning of
>>>> dsigCtx->signKey? Is it private key from IDP? (we never can get
>>>>private
>>>> key from IDP). How can I meet this requirement by xmlsec?
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Jeffrey
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>> 



More information about the xmlsec mailing list