[xmlsec] Transitioning custom XMLDSig verification implementation to xmlsec
kris at konagma.com
Mon Jan 27 02:11:01 PST 2014
Thank for a prompt reply Aleksey.
On 24 January 2014 17:55, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Hi Krzysztof,
> Let me try to answer your questions one-by-one
> * IO handlers
> To handle the context, you can use a trick with thread local storage:
> you can set your data in TLS before calling XMLSec, then use this
> data in the context, and cleanup after XMLSec is done.
Um, sounds like a thread-specific global variable. This answers my
question that there's no way to pass any context to IO callbacks nor
replace the IO transformation :)
It's a bit nasty hack which may make it hard to justify transitioning to
xmlsec but I'll probably give it a go anyway.
> * additional certificate/key checks
> You can also look at implementing a custom keys store
> The findKey method is the one you need.
Yes, I looked at it initially at the example . But I couldn't see how
it'd help me hook in with my additional `X509_VERIFY_PARAM` settings. Now
I can see that by making all plumbing through xmlsec key related structs
(similarly to what happens in `src/openssl/x509vfy.c`) I can provide my own
certificate verification procedure.
> * registering transformation URIs
> Easy one :)
Ah, right. Just find the standard transformation equivalent for my legacy
URI, "copy" it, replace its `href` and re-register.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the xmlsec