Never mind. I figured out the problem. I used the wrong private key when I signed the XML file, and spent an hour trying to figure out why it wouldn't validate.
Ok, I'm stupid. -Devin On Tue, 2002-09-03 at 15:56, Devin Heitmueller wrote: > Ok, let me give some more detail. > > The goal is to run an application, providing it with an XML file that is > signed with a DSA private key. The application should validate the > signature using the DSA public key stored in a separate file on the > local workstation. > > The creation and signing of the XML file appears to work fine. I do not > embed the key in the XML file itself. > > The verification application should load the DSA public key into the key > list, then validate the XML document signature with the DSA public key. > > I used xmlSecSimpleKeysMngrLoadPemKey to load the public key, providing > NULL for the keyPwd and keyPwdCallback arguments. It's not returning > any errors, but I am still not sure if the public key is actually being > loaded into the keylist. > > The basic problem seems to be getting the DSA public key from the PEM > encoded file into an xmlSecKeyPtr structure, which I can provide as a > argument to xmlSecDSigValidate(). > > Thanks, > > -Devin > > On Tue, 2002-09-03 at 15:04, Aleksey Sanin wrote: > > I am not sure I clear understand what do you mean by "verify an XML file > > given > > a specific cert". From you XML file you should point to the given key known > > to application or provide the key in the signature (may be in cert). > > And on the application side you need to have this key available or know > > how to get > > key from the file. For example, in XML file you can include a full cert > > and application > > should be able to verify cert and extract key. > > XMLSec library extracts the public key from provided cert automatically > > but the key > > is *not* included in the keys list. You can point to a cert using issuer > > serial/name, > > subject, SKI and if such cert was loaded with > > xmlSecSimpleKeysMngrLoadPemKey() > > it will be found and key extracted. > > > > Aleksey > > > > > > Devin Heitmueller wrote: > > > > >So, if I wanted to verify an XML file given a specific cert, I should > > >perform an xmlSecSimpleKeysMngrLoadPemKey() with the privateKey flag set > > >to 'public', then perform an xmlSecSimpleKeysMngrAddKey ()? > > > > > >Thanks, > > > > > >Devin > > > > > >On Tue, 2002-09-03 at 14:42, Aleksey Sanin wrote: > > > > > > > > >>The cert will be saved to the keys file if (and only if) it is > > >>associated with a key. > > >>xmlSecSimpleKeysMngrLoadPemCert() function has two purposes: > > >> 1) load a "trusted" cert (i.e. root CA cert) > > >> 2) load an "untrusted" cert which could be pointed from XML DSig > > >><dsig:X509Data> > > >> element by subject, issuer serial/issuer name or SKI > > >>(http://www.w3.org/TR/xmldsig-core/#sec-X509Data) > > >> > > >> > > >>Aleksey > > >> > > >>Devin Heitmueller wrote: > > >> > > >> > > >> > > >>>I am attempting to make use of the xmlSecSimpleKeysMngrLoadPemCert > > >>>facility to load a certificate from a file into the key manager. The > > >>>call returns with no errors, but it looks like the cert is never > > >>>actually added to the key manager store. > > >>> > > >>>I wrote some sample code to demonstrate the problem (see attached). I > > >>>am attempting to add the DSA certificate dsacert.pem that is included > > >>>with the distribution in the "tests/keys" directory. The sample code > > >>>creates the key manager instance, adds the certificate, then saves the > > >>>key manager contents out to an XML file. > > >>> > > >>>I suspect I am using the function wrong, but any advice that could be > > >>>offered would be greatly appreciated. > > >>> > > >>>Thanks, > > >>> > > >>> > > >>> > > >>>------------------------------------------------------------------------ > > >>> > > >>>-----BEGIN CERTIFICATE----- > > >>>MIIEvTCCBGegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBojELMAkGA1UEBhMCVVMx > > >>>EzARBgNVBAgTCkNhbGlmb3JuaWExJjAkBgNVBAoTHWh0dHA6Ly93d3cuYWxla3Nl > > >>>eS5jb20veG1sc2VjMRowGAYDVQQLExFTZWNvbmQgTGV2ZWwgQ2VydDEWMBQGA1UE > > >>>AxMNQWxla3NleSBTYW5pbjEiMCAGCSqGSIb3DQEJARYTYWxla3NleUBhbGVrc2V5 > > >>>LmNvbTAeFw0wMjAzMjkyMjI2NTNaFw0wMzAzMjkyMjI2NTNaMIGkMQswCQYDVQQG > > >>>EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEmMCQGA1UEChMdaHR0cDovL3d3dy5h > > >>>bGVrc2V5LmNvbS94bWxzZWMxHDAaBgNVBAsTE0RTQSBLZXkgQ2VydGlmaWNhdGUx > > >>>FjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xIjAgBgkqhkiG9w0BCQEWE2FsZWtzZXlA > > >>>YWxla3NleS5jb20wggG2MIIBKwYHKoZIzjgEATCCAR4CgYEAimW6KYBPYXAf6itS > > >>>AuYs1aLPfs8/vBEiusv/pl1XMiuMvB7vyiJgSj8/NTkRci/UX/rVXv8rbCRjvYFX > > >>>3x5/53f4hc6HKz7JQI4qqB7Fl5N86zp+BsQxNQ4tzous9S2HTd2/zdTwVsvO+H9l > > >>>3FahmVp/m2IHE4W27JYoF49qP10CFQC//HNaqNG+J6STasxbfCliylP1SwKBgFCM > > >>>s1A5S3urggoBeEYffH4imb4OuFCeBTOS/lmwkjJlbBTdOn08Mct52jzzgs86Ln7B > > >>>7/wb3toL6w73dO/KF1iSX/QOOKSGZyZHYxIZtkbAxaVzatLTymRXI1bHZqoODF+m > > >>>DbsKb2bk8EqAxubtUDDdJph/YJmyE94/ceDDvuxGA4GEAAKBgDp/igSRN6tU0YRv > > >>>UbKTV9NVSOQtFc0suDf0MguGMxBDaKtxiZChyGKvoK6vWalfcYNhnqP95qoXXBDT > > >>>rWEZlhHzmSY9fKLpA+kzXHmEWeB4x4yt1mN8CtjlekDpcvpN38YBEKT/+yJQpGuW > > >>>CAi7h1626o5+W9F3CvS9hg7Vjso7o4IBJjCCASIwCQYDVR0TBAIwADAsBglghkgB > > >>>hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE > > >>>FEe1ThoXo+wDwzhsCfW0cuROuISWMIHHBgNVHSMEgb8wgbyAFHjXLZFhL5UiSrvh > > >>>1T3GJq+rl9IEoYGgpIGdMIGaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv > > >>>cm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMSYwJAYDVQQKEx1odHRwOi8vd3d3LmFs > > >>>ZWtzZXkuY29tL3htbHNlYzEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEiMCAGCSqG > > >>>SIb3DQEJARYTYWxla3NleUBhbGVrc2V5LmNvbYIBATANBgkqhkiG9w0BAQQFAANB > > >>>AL2thaC8jmlUvEGLHR1B3+7XJho4sXllkHgclSXJnD/NGssj5XzQHpbLVSfNEEUe > > >>>JKG28F0vyT05hEsXAHAtg9o= > > >>>-----END CERTIFICATE----- > > >>> > > >>> > > >>>------------------------------------------------------------------------ > > >>> > > >>>/* > > >>>* Netilla License Display tool > > >>>* Devin J. Heitmueller Aug 27 2002 > > >>>*/ > > >>> > > >>>#include <stdio.h> > > >>>#include <string.h> > > >>>#include <stdlib.h> > > >>> > > >>>/* > > >>>* COMPAT using xml-config --cflags to get the include path this will > > >>>* work with both > > >>>*/ > > >>>#include <libxml/xmlmemory.h> > > >>>#include <libxml/parser.h> > > >>> > > >>>/* Required for xmlsec */ > > >>>#include <xmlsec/xmlsec.h> > > >>>#include <xmlsec/xmldsig.h> > > >>>#include <xmlsec/keysmngr.h> > > >>>#include <xmlsec/xmltree.h> > > >>> > > >>>int > > >>>main (int argc, char **argv) > > >>>{ > > >>> xmlSecKeyPtr pubkey; > > >>> xmlSecDSigCtxPtr dsigCtx = NULL; > > >>> xmlSecKeysMngrPtr keysMngr = NULL; > > >>> int load_pub_cert_result = 0; > > >>> int rnd_seed = 0; > > >>> > > >>> /** > > >>> * Init OpenSSL > > >>> */ > > >>> while (RAND_status() != 1) { > > >>> RAND_seed(&rnd_seed, sizeof(rnd_seed)); > > >>> } > > >>> > > >>> /* > > >>> * Init libxml > > >>> */ > > >>> xmlInitParser(); > > >>> LIBXML_TEST_VERSION > > >>> > > >>> /* > > >>> * Init xmlsec > > >>> */ > > >>> xmlSecInit(); > > >>> > > >>> /** > > >>> * Create Keys managers > > >>> */ > > >>> keysMngr = xmlSecSimpleKeysMngrCreate(); > > >>> if(keysMngr == NULL) { > > >>> fprintf(stderr, "Error: failed to create keys manager\n"); > > >>> return -1; > > >>> } > > >>> > > >>> /** > > >>> * Add the test cert to the public key list > > >>> */ > > >>> load_pub_cert_result = xmlSecSimpleKeysMngrLoadPemCert (keysMngr, > > >>> "dsacert.pem", 1); > > >>> if (load_pub_cert_result != 0) > > >>> { > > >>> fprintf(stderr, "Error: failed load public key\n"); > > >>> return -1; > > >>> } > > >>> > > >>> /* Write the keys back to a file */ > > >>> xmlSecSimpleKeysMngrSave(keysMngr, "test.xml", xmlSecKeyTypeAny); > > >>> > > >>> return 0; > > >>>} > > >>> > > >>> > > >>> > > >>> > > > > > -- > Devin Heitmueller > Senior Software Engineer > Netilla Networks Inc > > _______________________________________________ > xmlsec mailing list > [EMAIL PROTECTED] > http://www.aleksey.com/mailman/listinfo/xmlsec -- Devin Heitmueller Senior Software Engineer Netilla Networks Inc _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
