[xmlsec] Transitioning custom XMLDSig verification implementation to xmlsec

Krzysztof Konopko kris at konagma.com
Mon Jan 27 02:11:01 PST 2014

Thank for a prompt reply Aleksey.

On 24 January 2014 17:55, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Hi Krzysztof,
> Let me try to answer your questions one-by-one
> * IO handlers
> To handle the context, you can use a trick with thread local storage:
> you can set your data in TLS before calling XMLSec, then use this
> data in the context, and cleanup after XMLSec is done.

Um, sounds like a thread-specific global variable.  This answers my
question that there's no way to pass any context to IO callbacks nor
replace the IO transformation :)
It's a bit nasty hack which may make it hard to justify transitioning to
xmlsec but I'll probably give it a go anyway.

> * additional certificate/key checks
> You can also look at implementing a custom keys store
> http://www.aleksey.com/xmlsec/api/xmlsec-keysmngr.html#XMLSECKEYSTOREKLASS
> The findKey method is the one you need.

Yes, I looked at it initially at the example [1].  But I couldn't see how
it'd help me hook in with my additional `X509_VERIFY_PARAM` settings.  Now
I can see that by making all plumbing through xmlsec key related structs
(similarly to what happens in `src/openssl/x509vfy.c`) I can provide my own
certificate verification procedure.

> * registering transformation URIs
> Easy one :)
> http://www.aleksey.com/xmlsec/api/xmlsec-transforms.html#XMLSECTRANSFORMIDSREGISTER
Ah, right.  Just find the standard transformation equivalent for my legacy
URI, "copy" it, replace its `href` and re-register.


[1] http://www.aleksey.com/xmlsec/api/xmlsec-custom-keys-manager.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20140127/5aafe1b1/attachment.html>

More information about the xmlsec mailing list