Verifing document signed with X509 certificates.

If the document is signed with an X509 certificate then the signature verification consist of two steps:

Certificates chain is constructed from certificates in a way that each certificate in the chain is signed with previous one:

Figure 8. Certificates chain.

Certificate A (signed with B) <- Certificate B (signed with C) <- ... <- Root Certificate (signed by itself)

At the end of the chain there is a "Root Certificate" which is signed by itself. There is no way to verify the validity of the root certificate and application have to "trust" it (another name for root certificates is "trusted" certificates).

Application can use xmlSecCryptoAppKeysMngrCertLoad function to load both "trusted" and "un-trusted" certificates. However, the selection of "trusted" certificates is very sensitive process and this function might be not implemented for some crypto engines. In this case, the "trusted" certificates list is loaded during initialization or specified in crypto engine configuration files. Check XML Security Library API reference for more details.

Example 22. Loading trusted X509 certificate.

 * load_trusted_certs:
 * @files:		the list of filenames.
 * @files_size:		the number of filenames in #files.
 * Creates simple keys manager and load trusted certificates from PEM #files.
 * The caller is responsible for destroing returned keys manager using
 * @xmlSecKeysMngrDestroy.
 * Returns the pointer to newly created keys manager or NULL if an error
 * occurs.
load_trusted_certs(char** files, int files_size) {
    xmlSecKeysMngrPtr mngr;
    int i;
    assert(files_size > 0);
    /* create and initialize keys manager, we use a simple list based
     * keys manager, implement your own xmlSecKeysStore klass if you need
     * something more sophisticated 
    mngr = xmlSecKeysMngrCreate();
    if(mngr == NULL) {
	fprintf(stderr, "Error: failed to create keys manager.\n");
    if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
	fprintf(stderr, "Error: failed to initialize keys manager.\n");
    for(i = 0; i < files_size; ++i) {

	/* load trusted cert */
	if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
    	    fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);


Full program listing