Marius Kjeldahl wrote:
Marius Kjeldahl wrote:I'm trying to create signed xml documents and verify that they are correctly signed, but I'm having trouble.
Using the xmlsec examples,
Here I really mean the examples on the xmlSec homepage. I have not looked into the xmlsec tool which comes with the xmlsec distribution.
I would suggest you to take a look at it. xmlsec command line utility is the most complete example
of all available functionality.
I am able to create signed documents, but they all fail when I paste them into the online verifier (I guess when it works there, I am ready to try to do the same locally). I understand that any unsigned key will probably not be verified correctly, so I downloaded the "fake" root cert and corresponding private key. I further signed my local private key using the "fake" root cert.
Why you don't want to try to verify document locally using xmlsec tool?
In xmlsec 0.0.10 you can do following:So far I have not been able to find an example on how to use my key AND the cert. An old posting from Aleksey mentions using "xmlSecSimpleKeyMngrAddCertToKey, but I can find no such function. I have also tried loading the key first, then the cert into the same keysmngr using SimpleKeysMngrLoadPemKey followed by a SimpleKeysMngrLoadPemCert, but I am not sure whether this means that the cert will be used when signing (if I try to validate a document after loading the key and cert, it will still not be verified with the online verifier). I have also tried putting the key and cert into the same file and load it with *LoadPemKey, but still no luck.
1) load the key and get xmlSecKeyPtr pointer (for example, using xmlSecSimpleKeysMngrLoadPemKey
function)
2) load cert and add it to key using xmlSecKeyReadPemCert function
3) Put <dsig:509Data> element into the <dsig:KeyInfo> to force writing cert into the key
Instead of steps 1) and 2) you can use xmlSecSimpleKeysMngrLoadPkcs12() that loads key
and cert(s) from pkcs12 file.
Follow steps 1)-3) above and use key/cert known to the online verifier (see details on the page).
Does anybody have an example on what needs to be done to create a signed document that can be verified with the online verifier, or any hints on what needs to be done?
However, I would recommend to try the xmlsec utility. It's much more powerfull and you do not
have restriction to use specific keys / certs.
Aleksey
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec
