[xmlsec] ECDSA signature verification

Aleksey Sanin aleksey at aleksey.com
Fri Mar 5 08:26:10 PST 2021

In general, I wouldn't recommend KeyValue for anything but examples
for a number of security concerns.

You should consider using KeyName or X509Data instead.



On 3/5/21 4:01 AM, Timothy Legge wrote:
> Hi
>> On Thu, Mar 04, 2021 at 11:40:51PM -0400, Timothy Legge <timlegge at gmail.com> wrote:
>>>              <dsig:KeyInfo>
>>>                               <dsig:KeyValue>
>> Is there any reason why you specify KeyValue directly? If you wrap your
>> key into an x509 cert and use <X509Data>, that should work, see e.g.
>> tests/aleksey-xmldsig-01/enveloping-sha256-ecdsa-sha256.xml.
> Couple of reasons that don't make a lot of sense.  First, it is closer
> to DSA so the current code was easy to modify.  Secondly, there were
> not a lot of example xml files (I either missed the one you mentioned
> or I got stuck on the first reason.  Third is likely the fact that it
> is a documented method that can be used...
> Adding X509Data was next on my list.  I don't have any use cases or
> users asking for ecdsa but I would like to get it added before I need
> it.
> Thanks
> Tim
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list