installed.
Thanks for all your help,
-Devin
Quoting Aleksey Sanin [EMAIL PROTECTED]:
Looks like there is a problem on LibXML level. One of possible reasons
is
library mismatch (xmlsec loads old/wrong version of LibXML2 libraries
when you are compiling it). I would suggest to do following:
1
It's fine for me. Personally I don't think that you really want to show
any detailed error message to the user. Signatures and encryption
is a backend stuff. Most errors are total failures and you could not
recover from them. For example, in the situation you mentioned
the error case is
Hi!
XML Encryption spec describes how the IV vector is used and XML Sec
library strictly follows the standards :)
http://www.w3.org/TR/xmlenc-core/#sec-Alg-Block:
The IV is encoded with and before the cipher text for the algorithms below
for ease of availability to the decryption code and to
As you've said it was "something obvious" :)
Aleksey.
Robert Wittams wrote:
Doh,
forgot to init library, so transform array was empty.
Robert Wittams
On Tuesday 18 Jun 2002 7:24 pm, Robert Wittams wrote:
Hi,
I am getting the error:
xmlSecTransformNodeRead: id
Looks like the root element in xmlDocPtr (could be obtained
using xmlDocGetRootElement()) is NULL. This can be if you
have mailformed XML document in the input. I think that
the simplest way to check this is to save XML template
just before signing.
Aleksey
Robert Wittams wrote:
Sorry to
Do you have any error messages from xmlsec? And how did
you create the encrypted PEM key?
Aleksey
Lidia wrote:
Hi,
When I generate signature i load private key using:
key=xmlSecSimpleKeysMngrLoadPemKey(keysMngr, private_key_file,password,NULL,1)
The problem is if the private_key_file is
Random numbers are used by OpenSSL in many hidden places. For example,
you need random numbers to produce correct padding. So it's more simple to
initialize random numbers than investigate why the program does not work :)
Aleksey
[EMAIL PROTECTED] wrote:
Hi,
Unfortunately, I do not understand
Hello Aleksey,
You have access to the scripts at any time-- that is what's in the
libxmlsec_*.diff.gz file. It is a patch file that prepares your stock
distribution for the one-line command that builds the Debian packages.
From your root project directory you can apply the patch like
Hi, Ferrell!
The current XMLDSig does not require full XInclude support and limits
the possible reference URIs to the URIs you've listed plus full
qualified URLs.
The xmlsec does not support full XIncude simply because there were no demand
for this yet :)
The problem with id is that the
verify them there.
That seems like a lot of extra work but then an empty URI would work.
Does the above description make sense? Any other ideas on how to solve
this problem without having to implement full URI/xpointer support?
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [
I am not sure I clear understand what kind of problem do you have.
Will you mind to send me the file you have problems with?
Thanks,
Aleksey
Moultrie, Ferrell (ISSAtlanta) wrote:
Aleksey:
Ok, I've tried to use an XPath Transform to limit the data being verified.
Unfortunately, it doesn't
gh our web folks for that information.
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 24, 2002 10:23PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc:'[EMAIL PROTECTED]'; Dodd, Tim (I
Both xmlSecKeysMngr and xmlSecDSigCtx are reusable. Moreover,
you can use them in the multiple threads in the same time (the only
restriction is that you need to load all your keys into xmlSecKeysMngr
before starting threads or you will need to write your own keys manager
and do sync by
Devin,
Thanks a lot! After minor tweaks I checked in everything.
Thanks again,
Aleksey
Devin Heitmueller wrote:
Ok, here is the revised docs tree with the files that changed.
Thanks,
On Fri, 2002-08-30 at 15:03, Aleksey Sanin wrote:
The code changes is only one part
Ops.. Don't worry, I'll patch it tonight, I know what is the problem.
Thanks for finding it!
Aleksey
Devin Heitmueller wrote:
Not a serious problem, but worth pointing out...
It looks like if XSLT isn't installed the xmlsec-config generates errors
on stderr as follows:
d something?
Thanks!
Ferrell
-----Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 11:05 AM
To: Roman Bouchner
Cc: [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
From the general security point of view the dat
ideas/hints would be appreciated ...
Thanks!
Ferrell
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 12:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
It turns out that there is pretty simple
, October 10, 2002 10:46 PM
To: Aleksey Sanin
Cc: Moultrie, Ferrell (ISSAtlanta); [EMAIL PROTECTED]
Subject: Re: [xmlsec] Verify signature after certificate expired
Hi there,
You are basically right, but first let us clear something: I don't use
Visual Studio .NET :-) I tried, but it gave me trouble
Well, it depends on the situation:
1) You are signing an XML file and want to have XML signature in a
*separate* XML file.
In this case, you might sign the XML file using external XML signature
and then this file will be treated as a binary file (i.e., never
parsed-no need
in c14n)
tool a try.
David Wen
On Fri, 18 Oct 2002 18:32:35 -0700 Aleksey Sanin [EMAIL PROTECTED] wrote:
Well, it depends on the situation:
1) You are signing an XML file and want to
have XML signature in a
*separate* XML file.
In this case, you might sign the XML file
using external XML
On Fri, 18 Oct 2002 18:32:35 -0700 Aleksey Sanin [EMAIL PROTECTED] wrote:
Well, it depends on the situation:
1) You are signing an XML file and want to
have XML signature in a
*separate* XML file.
In this case, you might sign the XML file
using external XML signature
and then this file
Hi, Gregor!
I assume that you are asking not about cannonicalization but about
signing a given Object.
There are multiple ways to sign particular part of the XML document
(i.e. sign its digest)
using an XPath transofrm(s). I think you'll find useful to read
annotated example from
the XMLDSig
Please take a look at the spec:
http://www.w3.org/TR/xpath#dt-expanded-name
The Signature element has an extended name (namespace, Signature).
In order to select it, you need to do something like this:
ancestor-or-self::/Request/dsig:Signature
and also declare
You have a clear error in the XPath. Try this:
ancestor-or-self::dsig:Signature
And have you checked this resource:
http://www.zvon.org/index.php?nav_id=tutorials
Aleksey
Gregor Ibic wrote:
Nope. I get syntac error. I tried also this. Its in Delphi but uses the same
libxml.
The here() function could be used from C code. You just need to register it
in the XPath context.
I am not sure but AFAIK the XPath spec says that not() is boolean. Have you
checked your XPath expression with xmllint command line tool? If it does not
work as expected then probably there is an
Not sure what do you mean by signature is different. Do you compare
the base64 values
from the SignatureValue? Then they MUST be different (for RSA and DSA at
least).
Have you tried to *verify* signature using xmlsec?
Aleksey
Gregor Ibic wrote:
Im using EXCHANGE key for signing. I dont have a
I have plans to separate OpenSSL code in next couple weeks (if I'll have
enought time,
of course :( ). You might wait and do this after it. I would be happy to
add your code
into CVS if you are ok with it.
Aleksey.
Gregor Ibic wrote:
Yep. But Im also interested to adapt xmlsec to use MS
Hi, All!
In the last few weeks I was asked by a number of people about
using XMLSec library with other (non OpenSSL) crypto engines
(NSS, MS CryptoAPI, etc.). I kept this feature in mind from
the beginning and it looks like it is a right time to do this. Shortly
the plan is to move all the
Thanks for this. It will make the support of other crypto libs easier.
You are welcome.
Besides moving code around to separate out openssl, there are
a couple other issues.
1. Crypto initialization : XMLSEC library needs to allow for Crypto
Initialization to happen in the Application OR
You mention above that these functions will likely be implemented for
NSS. However, these file related functions don't make sense for NSS.
I really doubt that NSS does not have a function to load a cert from
a pem file. And if so then you might want to ask NSS guys to add it.
Most of the
these tests
unless you
convert the keys to your crypto engine native format (however, this might
invalidate interop tests but it's another story).
And *nobody* forces you to use these formats in real application.
Aleksey.
Tejkumar Arora wrote:
Aleksey Sanin wrote:
You mention above
Hi, Marius!
I have good and bad news for you. The good news is that I am doing
some code refactoring right now and you might get all you want when
I am done. My current plan is to create an object system similar to one
found in GLib/GTK with universal constructors and destructors.
The bad news is
My next challenge is to do this dynamically (so if anybody have
experience on how to do that using libxml, feel free to spill the beans).
Check xmlCreateIntSubset() from th libxml/tree.h file.
Aleksey
___
xmlsec mailing list
[EMAIL PROTECTED]
Can I load the public key from a PEM cert with the
xmlSecSimpleKeysMngrLoadPemCert method?
Will it then be treated as a key or is it only CA certs that should be
loaded this way.
Please, read the code or documentation:
xmlSecSimpleKeysMngrLoadPemCert() reads cert from file and adds
it to the list of trusted or untrusted certs known by keys manager.
Later this cert could be used during certs verification process
(dsig:X509Data node processing): trusted cers are ones that can
terminate certificates chain (for
Igor,
Thanks for looking into this! I am still working on big code refactoring
and the
CVS tip is still broken. However, I've created a branch XMLSEC_0_0_X_BRANCH
for the 0.0.x code. Please use it if you'll find something. I'll later
merge everything
to the trunk.
Thanks again,
Aleksey.
Igor
the tests/keys.xml file is generated by the testKeys.sh script. It
should be called
by makefile scripts before testEnc.sh. Can you check that there are no
errors
during testKeys.sh execution, please?
Aleksey
Martin Waite wrote:
On Mon, 2002-11-25 at 17:07, Aleksey Sanin wrote
I think this is bad from security point of view. If you are extracting key
from certificate and using it alone, then you lose validity information.
IMHO, if you want to use X509 PKI then you should use certificates
directly instead of hacking them.
In XMLDSig you have several options:
- add
Yeah, I also found this annoying. Will change in next release.
Thanks,
Aleksey
Rich Salz wrote:
I think it would be better if the xmlsec program didn't print the
complete help text any time it found an error -- I always have to
scroll back to see what went wrong. It should instead print a
Don't worry. BTW, you actually found an error, it should not fail
completelly in this case :( It should generate the keys for everything
but AES. I'll fix it in next refresh.
Aleksey
Martin Waite wrote:
On Tue, 2002-11-26 at 16:02, Aleksey Sanin wrote:
the tests/keys.xml file is generated
: Native' has exited with
code 0 (0x0).
-Original Message-
From: Aleksey Sanin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 26, 2002 9:55 AM
To: [EMAIL PROTECTED]; xmlsec mailing list
Subject: Re: Memory leaks
Do you have any print outs that show where the memory leak happens?
Also
In XML ID attribute has a meaning only if there is a DTD or schema.
Using #XXX references w/o schema is meaningless. Actually, you do
not need to load full DTD, you may just specify the DTD for one
particular attribute (see section 3.2 of the FAQ
http://www.aleksey.com/xmlsec/faq.html
for
There is no way to do it thru xmlsec command line utility.
I believe that you can safely add the DTD declaration to
the signed document because DTD nodes are ignored
by c14n.
Aleksey
Rich Salz wrote:
(No DTD, so no recognization of id attr as an ID)
That makes sense. Any tips on where to
Hi, All!
If you have problems with processing XML Signatures having reference URI
in the format URI=#ID where 'ID' is starting from a digit then you might
be interested in the following patch:
http://www.aleksey.com/xmlsec/download/patch-0.0.10-references.diff
The problem was caused by the fact
Please, read section 3.2 from the FAQ http://www.aleksey.com/xmlsec/faq.html
Aleksey
Asbjørn Oskal wrote:
Hi!
I'm having some trouble signing using an xpointer reference.
The XML document I'm trying to sign looks like this:
?xml version=1.0 encoding=UTF-8?
Letter
Hello, World!
New XML Security Library 0.0.11
http://www.aleksey.com/xmlsec/download.html release fixes a major
problem http://www.aleksey.com/pipermail/xmlsec/2002/000368.html in
Reference URI attribute processing. This release also includes several
Win32 build process fixes from Igor. The new release is
Looks like there are some problems with DocBook on SuSe. Check this link:
values by some reasons known
only to Igor and the creators of MS VC.
Another possible way is to try to link xmlsec/libxml/openssl libraries
statically. At least this works on my Windows box :)
Aleksey.
kltsai wrote:
Hi Aleksey Sanin:
I sign an XML signature with the following templete
Aleksey Sanin [EMAIL PROTECTED] wrote:
However, when I modify the transform method to be:
Transform Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315; /
Ver0.0.11 fails to verify while the old version, v0.0.7 still works. Is this method
not allowed in Enveloped Signature?
What
All the URI processing is done thru the same scheme. Take a look at the
end of
io.c file: xmlSecRegisterDefaultInputCallbacks() function registers default
callbacks using exactly the same approach.
The only thing you might need to take care of is that you should add
your custom
callbacks *after*
Hm.. I hope you meant cvs -z3 co -r xmlsec-0_0_11 xmlsec :)
Please check that you don't have src/openssl and src/nss folders.
If it's the case then you have correct sources and there should
be no problems with compilation at all. Please let me know
if I can help you somehow.
Aleksey.
Igor
I am sorry but I am not sure I clear understand your problem completelly
but I think that you have a known ID attribute w/o DTD problem
(see section 3.2 of the FAQ http://www.aleksey.com/xmlsec/faq.html).
On the other hand, I am not sure why you could not use an empty URI
for the last reference:
Even if I use ftp://; URIs.
I also found a comment in io.c saying /* todo: add an ability to use custom
protocol handlers */
This is an obsolete comment. The loop below this comment goes thru the
list of
registered callbacks and calls matchcallback functions. The first
handler that
returns
The simplest way is to add multiple certificates to the key and add
one X509Data node to the KeyInfo. All the certs found in
the key
(as well as all CRLs) should be written into the X509Data node.
The function you might want to look at are:
xmlSecKeyReadPemCert
The library API requires the dsig:Signature node specification:
http://www.aleksey.com/xmlsec/api/xmlsec-xmldsig.html#XMLSECDSIGVALIDATE
and the xmlsec command line utility also has an option to set the
dsig:Siganture node ID attribute with --node-id option
The xmlsec now supports loading RSA keys from PEM, PKCS12 or XML files.
If you can convert you key to either of these formats then you can use
it with xmlsec. I am not sure about GnuPG but you can use the following
OpenSSL command:
openssl genrsa -out rsa-key.pem 1024
to generate new 1024
This is not a surprise for me at all. You are signing *everything* in
the document
includingthe dsig:Signature node subtree. Which means that you never get
it verified:
- when you are signing the dsig:SignatureValue is not yet calculated
(i.e. empty)
- when you are verifying the
Please read section 3.2 from the FAQ:
http://www.aleksey.com/xmlsec/faq.html
Aleksey
kltsai wrote:
Hi Aleksey:
I tried to sign a enveloping example with Transform Method:
http://www.w3.org/2000/09/xmldsig#enveloped-signature
And it signs and verifies OK. But If I apply this method in
Works just fine for me:
$[aleksey] xmlsec keys --privkey /tmp/Key.pem test.xml
Enter PEM pass phrase: entered 123456
$[aleksey] less test.xml
?xml version=1.0?
Keys xmlns=http://www.aleksey.com/xmlsec/2002;
KeyInfo xmlns=http://www.w3.org/2000/09/xmldsig#;
KeyName/
KeyValue
Sorry but I really don't know what are you doing. Get a debugger and
find out.
Aleksey
vishveswar reddy challagonda wrote:
Hi,
I compiled the dsig1.c file and ran it like
./dsig1 dsakey.pem test.xml but the program is not terminating? what
could be the problem? anything wrong with keyfile or
You need to tell the xmlsec library which certs are trusted. It's not
enough
to just place all the certs (including root CA cert) in the
X509Certificate
because certs not only give you a key but also establish a trust.
Use --trusted option for xmlsec command line utility or
Please look at apps/xmlsec.c and search for
xmlSecSimpleKeysMngrLoadPkcs12 string.
Aleksey
[EMAIL PROTECTED] wrote:
Aleksey:
I have a next problem:
-I have a certificate, with includes the private and the public key, and
more.
-In format PCS12,
-I want to extract the private key and sign a
For RSA, there is a similar function:
RSA *a RSA_generate_key(1024, 65537, NULL, NULL)
which returns a structure of BIGNUMS. What is eluding me is
which part(s) of the structure is the private key and which is the
public.
RSA public key consist of modulus (RSA::n member) and exponent (RSA::e
This means that the password was incorrect. Can you open this pkcs12 file
using openssl command line?
Aleksey.
[EMAIL PROTECTED] wrote:
I use the funtion:
xmlSecSimpleKeysMngrLoadPkcs12(keysMngr,pckcert,pckcert.pfx,pwd);
to change the KeysMngr,
and the output apears the follows lines.
failed to find signature node.
This error means that your document does not have dsig:Signature
node.
Please note that you MUST have this node in XML DSig namespace
(see XML DSig spec for details).
Can u provide some examples to how to use xmlsec for
Please read the description of the dsig2 example
http://www.aleksey.com/xmlsec/example-dsig2.html
In this example we will add a signature to the document...
The test.xml is example *result* ouptut. Try
./dsig2 DSAprivate test.tmpl result.xml
And I am absilutely not suprised that
Hm.. There is no way to control it thru API and I am surprised that
other programs are
not able to handle this. Thought it'll be easy to fix and the result
will look better. Please file
a bug in GNOME Bugzilla (module=xmlsec) about this. I am traveling and
could not fix
it right now but will be
Hi, Ferrell!
I like this idea but might I propose to add a new argument
--node-xpath instead of
changing the meaning of the old one? I just don't like this tricky if
argument starts with slash...
part because I 'll be the first one who will forget about this :)
Will you mind to make this
I always reply to mails sent to the xmlsec mailing list. If you are
sending mails
with xmlsec question to my personal email I might ignore them in the
same way
you ignore my request to do not do this.
I have no idea why you have problems with Chinese. I am sorry but you
gave zero
information
The link on xmlsec download page is updated. Sorry for the delay, I am
still traveling :)
And thanks for update!
Aleksey
Igor Zlatkovic wrote:
Hi there,
Finally I have managed to break the quota limit on the university web
server. Well... with all those damn photos, no wonder at all :-)
I
Thanks a lot! I just know that any non trivial knowledge (like starting
from slash...)
might be lost other the time :) The only problem I have is that I don't
see attachment :)
Can you resend it, please?
Thanks,
Aleksey
Moultrie, Ferrell (ISSAtlanta) wrote:
Aleksey:
Done. I didn't think
You recieve errors on the stderr. If you don't want them, take a look at
the src/errors.c You can either disable errors output by setting
xmlSecPrintErrorMessages to 0 or you can plugin your own callbacks
for errors handling.
Aleksey
[EMAIL PROTECTED] wrote:
Aleksey:
I back once
Applied patch with minor modifications to XMLSEC_0_0_X_BRANCH.
Thanks a lot!
Aleksey
Moultrie, Ferrell (ISSAtlanta) wrote:
Sorry -- I wish my mua would warn me when it sees the word attached
but there's no attachment! Both files attached now.
Ferrell
-Original Message-
From: Aleksey
Fixed the bug in the XMLSEC_0_0_X_BRANCH.
You can get the updated sources from GNOME CVS
(see http://www.aleksey.com/xmlsec/download.html
for details).
Thanks for filing the bug,
Aleksey
Aleksey Sanin wrote:
Hm.. There is no way to control it thru API and I am surprised that
other programs
ure --pubkey:signed ./signing.cert xml.signed
It will complain about the wrong format.
Thanks,
Wayne
--- Aleksey Sanin [EMAIL PROTECTED] wrote:
Forgot to say that algorithm and all other signature parameters used by
xmlsec
utility are in the templates file. Please read XML Dig
Hi!
It's actually a bug in the example :) The reasons for the error you have
are
described in the FAQ (section 3.2)
http://www.aleksey.com/xmlsec/faq.html
While I've updated test.tmpl file for this example I simply forgot to
re-run it
and generate a new test.xml file :) The problem is
It seems that you have a compilation problem. Please check the
value of xmlSecEncDes3Cbc in the debugger. It seems like there is
a problem accessing variables declared in DLLs. Probably the good idea
would be to recompile the xmlsec library using Borland compiler itself
(if you are using Windows
Hi, Derek!
First of all, it's probably a wrong way to create the signature in the
way you did
(do sign document and next modify content). Depending on what are you
signing
you may easily invalidate you signature.
Regarding the error you have, I can only guess since you do not provide
the
The session DES key is generated in the enc1/enc1.c:generateDesKey()
function and
loaded in the keys manager in the same function. When the data is
encrypted by xmlsec
library it searches the keys manager for a key for specified algorithm
and sets all the
required values from the key into XML
As far as I can understand the spec,
dsig:RetrievalMethod
Type=http://www.w3.org/2000/09/xmldsig#RSAKeyValue; .../
should point to dsig:RSAKeyValue/ element. In your XML it points to
dsig:KeyInfo/
element which seems wrong to me. I would agree that the XML DSig is not
fully clear
here but I
ind ..\src\transforms.c:331: error 10: :
href="" class="moz-txt-link-freetext" href="">http://www.w3.org/2001/04/xmlenc#tripledes-cbc
I am able to go to that website, so I don't know what exactly is the problem.
Thank you again,
meg
Aleksey Sanin wrote:
Thanks for confirmation!
Aleksey.
Rich Salz wrote:
dsig:RetrievalMethod
Type=http://www.w3.org/2000/09/xmldsig#RSAKeyValue; .../
I totally agree with you; this means that it is expecting to see a
dsig:RSAKeyValue element. That last paragraph of sec 4.4.3 make
that, err, uhm, clear: an
more tomorrow. When do you anticipate the big new release?
Don't ask :) It was supposed to be out about a month ago but I decided
to make
it really big and the work is still in progress.
Aleksey
___
xmlsec mailing list
[EMAIL PROTECTED]
Hi, Derek!
I absolutelly don't like cleanup_crlf() function. All white spaces and
carraige
returns *are* part of the XML document. Removing \n *changes* the documents.
I am really surprised that you are able to get digest verified. Will you
mind to
send an example of XML document you are
Aye, that must change soon. OpenSSL 0.9.7 is released and you promised
to drop support for 0.9.6 soon thereafter :-)
Some folks are still use it and I just will stop testing with 0.9.6 as I
do now :)
Aleksey
___
xmlsec mailing list
[EMAIL
First of all, tt's well known but worth repeating: where is no
unbreakable
systems. It's only a matter of price, resources and time.
It's not necessary that software has access to the private key. You
might have
smart card that stores private key (and simply has no api export
private key).
Not sure what you mean by your own pki:
- Invent a new PKI infrastructure??? We already have plenty of them
including
popular x509 and PGP.
- Writing your own code to do rsa signatures??? There are a lot of
crypto libraries
available already.
- Create your own circle of trust???
And according to the OpenSSL 0.9.7 code (crypto/x509/x509_vfy.c, around
line #200) it should work perfectly too. If you are using OpenSSL
0.9.6 then you might consider upgrading to 0.9.7. It'll save you a
lot of time :)
We're probably going to wait for 0.9.7b before we upgrade in our
You are using wrong option for CVS update :) The command
cvs update -j tag
means update trunk (tip) with branch/tag tag. In your case,
you are getting merge of 0.0.X branch to the tip and this creates
a lot of conflicts :) I would suggest to do a fresh checkout as follows:
mv xmlsec
Have you added key to keys manager? The algorithm is:
- create xmlSecKey of RSA type
- set RSA key in created xmlSecKey
- add key to keys manager
And are you able to decrypt this file with xmlsec tool?
Aleksey
Meg Morgan wrote:
I am getting an error on decryption since I changed
);
result = -1;
}
else
{
xmlSecSimpleKeysMngrAddKey(keysMngr, key);
}
}
I will try to decrypt it manually.
Thanks!
meg
Aleksey Sanin wrote:
Have you added key to keys manager? The algorithm is:
- create xmlSecKey
In your document you have the name of the key used for encryption:
KeyNameRSA Public Key/KeyName
You can specify this name in the xmlSecKey object. And I really think that
you should try standalone xmlsec utility with this file and key.
Aleksey
___
Cool! I am glad that everything works now! And thanks for sharing
these information. I hope it'll help someone else :)
Aleksey
___
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
LibXMLSEC itself is mostly thread safe. The only thing that comes
to mind is the xmlSecSimpleKeysManager: you do not want to add
keys while another thread is using it (however, if you just read from
multiple threads then it's ok). But you probably want to implement
your own keys manager anyway so
The examples you mention are actually use stupid seeding with the
simple reason
to minimize non-xmlsec related code. If you want to use XMLSEC in any
real
application you *do need* to seed crypto engine with real random numbers.
Please take a look at apps/xmlsec.c in xmlsec package or any
Actually, the answer is yes and no. It depends on the OpenSSL version
you are using. I would suggest to check OpenSSL mailing list. There was
a long
discussion about this several months ago.
Aleksey
Jesse Pelton wrote:
Thanks for your quick response.
A brief xmlsec debugging session revealed
The document is validated during parsing only if you ask libxml to do so
by setting parsing context validate member to 1 or by setting global
variable xmlDoValidityCheckingDefaultValue to 1.
Can you check the value of this variable before the call to xmlParseMemory?
I would also suggest to step in
You might also find some XSLT examples here: http://zvon.org/
Aleksey
___
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel:
The |Transforms| specified in this document are defined with respect to
the input they require.
The following is the default signature application behavior:
* If the data object is an octet stream and the next transform
Yes, you are right about -CAfile, I forget it, sorry. Actually,
everything works just
fine for me now (and all the openssl stuff was not needed :) ):
[EMAIL PROTECTED] xmlsec verify --trusted c.pem
3dsec_xmldsig_verify_3006.xml
= Status:
== Signatures ok: 1
== Signatures fail: 0
1 - 100 of 1881 matches
Mail list logo
