[xmlsec] Key/cert selected for verification

Aleksey Sanin aleksey at aleksey.com
Mon Jul 1 18:38:09 PDT 2013


1) You are probably looking for xmlSecMSCryptoKeyDataX509GetKeyCert()
function:

http://www.aleksey.com/xmlsec/api/xmlsec-mscrypto-x509.html#XMLSECMSCRYPTOKEYDATAX509GETKEYCERT

that returns the "raw" crypto-library specific (MSCrypto in this case)
cert data structure. After that you can use native calls to get the
cert subject, etc. There is no "generic" function to do that in xmlsec
since the library doesn't need such function :)

2) "--enabled-key-data" and the dsigCtx->keyInfoReadCtx.enabledKeyData
options define the list of enabled sources for loading the key. If these
parameters are "empty" (not set) then all the sources are allowed.
I would suggest to use "key-name" instead of "hmac" and just have
nothing loaded in the keysManager.


Best,

Aleksey

On 6/30/13 11:27 AM, Peter wrote:
> Hi Aleksey
> 
> I am new to xmlsec and have a few questions. I tried to do my home first
> and went through the documentation and old emails but still have a few
> question. I will be very grateful if you can find the time to look into
> this please.
> I am using x509 certs and I am using the .18 prebuilt windows version
> 
> 
> FIRST
> ---------
> 
> My first question is very similar to the one posted
> here http://www.aleksey.com/pipermail/xmlsec/2002/004466.html
> <http://www.aleksey.com/pipermail/xmlsec/2002/004466.html>
> I basically want to look at the certificate or the chain that actually
> validated the xml to check the Subject, Issuer, etc. I can’t find the
> structures mentioned in that thread, I am guessing the code must have
> changed since then or may be I am looking in the wrong place. Can you
> please confirm?
> So then I looked at the command line tool code since it prints out the
> info that I need. I followed through the code but I cant find any
> accessible function to pull out the subject/issuer for the certs. I
> found the xmlSecKeyDataGetIdentifier function but it didnt print anythng
> for me. It was late and may be I am doing something wrong but I thought
> I will check with you if I am on the right track
> 
> /////////////////////////////////////////////////////////////
> //key is the signKey from the context
> if (!xmlSecPtrListIsValid(key->dataList))
> {
> info = "SignKey dataList is not valid";
> return false;
> }
> 
> // key->dataList->id is the pointer to the xmlSecKeyDataListKlass struct
> if (!xmlSecPtrListCheckId(key->dataList, xmlSecKeyDataListId))
> {
> info = "SignKey dataList kind is not xmlSecKeyDataListId";
> return false;
> }
> 
> // "key-data-list"
> InfoLog << " DATALIST kind ["  << (char*)key->dataList->id->name << "]
> size ["  << key->dataList->use << "]" << endl;
> 
> xmlSecSize pos;
> for (pos = 0; pos < key->dataList->use; ++pos)
> {
> ostringstream ss; ss << pos;
> xmlSecKeyDataPtr value = (xmlSecKeyDataPtr)key->dataList->data[pos];
> if (value == NULL) 
> {
> info = "SignKey dataList data[" + ss.str() + "] is not valid";
> return false;
> }
> 
> //key->dataList->id->debugDumpItem(key->dataList->data[pos], stdout);
> if (!xmlSecKeyDataCheckId(value, xmlSecMSCryptoKeyDataX509Id))
> {
> info = "SignKey dataList data[" + ss.str() + "] kind is not
> xmlSecMSCryptoKeyDataX509Id";
> return false;
> }
> 
> InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] kind [" <<
> (char*)value->id->name << "]" << endl;
> 
> string identifier = (char*)xmlSecKeyDataGetIdentifier(value) ;
> // this did not print anything
> InfoLog << "SignKey dataList data[" << ss.str().c_str() << "] identifier
> [" << identifier.c_str() << "]" << endl;
> }
> 
> /* THIS IS THE INFO I AM LOOKING FOR. Is it accessible from outside?
> 
>     xmlSecMSCryptoKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE*
> output) {
>     PCCERT_CONTEXT cert;
>     xmlSecSize size, pos;
> 
>     xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecMSCryptoKeyDataX509Id));
> 
>     fprintf(output, "=== X509 Data:\n");
> 
>     cert = xmlSecMSCryptoKeyDataX509GetKeyCert(data);
> 
>     if(cert != NULL) {
>         fprintf(output, "==== Key Certificate:\n");
>         xmlSecMSCryptoX509CertDebugDump(cert, output);
>     }
> 
>     size = xmlSecMSCryptoKeyDataX509GetCertsSize(data);
>     for(pos = 0; pos < size; ++pos) {
>         cert = xmlSecMSCryptoKeyDataX509GetCert(data, pos);
>         if(cert == NULL) {
>             xmlSecError(XMLSEC_ERRORS_HERE,
>                         xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
>                         "xmlSecMSCryptoKeyDataX509GetCert",
>                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
>                         "pos=%d", pos);
>             return;
>         }
>         fprintf(output, "==== Certificate:\n");
>         xmlSecMSCryptoX509CertDebugDump(cert, output);
>     }
> */
> /////////////////////////////////////////////////////////////
> 
> 
> SECOND
> 
> --------------
> 
> In one of your replies
> (http://www.aleksey.com/pipermail/xmlsec/2011/009076.html
> <http://www.aleksey.com/pipermail/xmlsec/2011/009076.html>) you said____
> 
> “I think you can get what you want by using "--enabled-key-data" (and
> "--list-key-data") command line options for xmlsec utility. Simply
> disable reading of certs from XML file completely and provide the
> signature key (not necessarily in  a cert) from the command line.”
> 
> How exactly do I do that? Because –enabled-key-data always expects a
> parameter. I guess I can just say “hmac” or some other option that
> doesn’t apply in my case to achieve that, is that right?
> 
> __
> 
> Also the command to list them "xmlsec list-key-data –crypto mscrypto", I
> didn’t see it documented in the command line help.
> 
> From verify4 example, I found the following. What is the corresponding
> equivalent for the code (to disable reading of certs from xml completely?
> 
>     /* in addition, limit possible key data to valid X509 certificates
> only */
> 
>     if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
> BAD_CAST xmlSecKeyDataX509Id) < 0) {
> 
>         fprintf(stderr,"Error: failed to limit allowed key data\n");
> 
>         goto done;
> 
>     }
> 
> 
> Thanks a lot for your help
> 
> __
> 
> __
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list