Signing data with X509 certificate.: XML Security Library Reference Manual

Signing data with X509 certificate.

To sign a file using X509 certificate, an application need to associate the certificate (or certificates) with the private key using one of the following functions:

xmlSecOpenSSLAppKeyCertLoad - loads certificate from a file and adds to the key;
xmlSecOpenSSLAppPkcs12Load - loads private key and all the certificates associated with it from a PKCS12 file;
xmlSecKeyAdoptData - low level function to add key data (including X509 key data) to the key.

Example 20. Loading private key and X509 certificate.

    /* load private key, assuming that there is not password */
    key = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
    if(key == NULL) {
        fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file);
	goto done;
    }
    
    /* load certificate and add to the key */
    if(xmlSecCryptoAppKeyCertLoad(key, cert_file, xmlSecKeyDataFormatPem) < 0) {
        fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", cert_file);
	goto done;
    }

Full program listing

Next step is to prepare signature template with <dsig:X509Data/> child of the <dsig:KeyInfo/> element. When XML Security Library finds this node in the template, it automaticaly creates <dsig:X509Certificate/> children of the <dsig:X509Data/> element and writes to result XML document all the certificates associated with the signature key.

Example 21. Dynamicaly creating a signature template for signing document using X509 certificate.

    /* create signature template for RSA-SHA1 enveloped signature */
    signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
				         xmlSecTransformRsaSha1Id, NULL);
    if(signNode == NULL) {
	fprintf(stderr, "Error: failed to create signature template\n");
	goto done;		
    }

    /* add <dsig:Signature/> node to the doc */
    xmlAddChild(xmlDocGetRootElement(doc), signNode);
    
    /* add reference */
    refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
					NULL, NULL, NULL);
    if(refNode == NULL) {
	fprintf(stderr, "Error: failed to add reference to signature template\n");
	goto done;		
    }

    /* add enveloped transform */
    if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
	fprintf(stderr, "Error: failed to add enveloped transform to reference\n");
	goto done;		
    }
    
    /* add <dsig:KeyInfo/> and <dsig:X509Data/> */
    keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
    if(keyInfoNode == NULL) {
	fprintf(stderr, "Error: failed to add key info\n");
	goto done;		
    }
    
    if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
	fprintf(stderr, "Error: failed to add X509Data node\n");
	goto done;		
    }

Full program listing