and XML DSig usage. Also you might find some information by running 'xmlsec help-verify'
and 'xmlsec help-sign' :)
Regarding your question about using certs: --pubkey expects a public key in PEM format.
Of course, using PEM cert with this option fails. And I am not sure I understand why you
need certs in your case. I see 2 different possible cases here:
1) The signature was done using a private key and Alice embeds cert(s) (or pointer to cert)
in the signature. XML DSig and xmlsec allows you to do this but this means that you need
to specify cert(s) on signature stage. Check <dsig:X509Data /> element description in XML
DSig spec for details. Note, that certs are used to establish trust "inside" XML DSig process.
2) The signature was done using a private key and Alice sends public key to Bob using
some other trusted way (outside XMLDSig). In this case, the input for XMLDSig (and xmlsec)
is just a public key. We do not care how we get it and how the trust was established.
I guess, right now you are trying to do 2) and use cert just as a public key. However, from
XMLSec point of view, this is "illegal". OpenSSL (and any other crypto toolkit) provides
easy ways to get public key from the cert. Just pass it to the xmlsec utility and everything
should work :) And of course, you can write your own code to extract key and load in xmlsec
library keys manager. But I don't see a need for this in the xmlsec utility.
Aleksey
Wayne Cheng wrote:
Hi Aleksey, Thanks for your help, I modify xml.txt for the right signature algorithm. Now, the following signing works.xmlsec sign --privkey:signed ./signing.key xml.txt >xml.signed I wonder if it is possible to use the certificate to verify the signed document. So far, I can use the folllowing format to verify the signed document. xmlsec verify --print-signature .cert xml.signed If I use the format: xmlsec verify --pubkey:signed ./signing.cert xml.signed or xmlsec verify --print-signature --pubkey:signed ./signing.cert xml.signed It will complain about the wrong format. Thanks, Wayne --- Aleksey Sanin <[EMAIL PROTECTED]> wrote:Forgot to say that algorithm and all other signature parameters used by xmlsec utility are in the templates file. Please read XML Digital Signature spec for details. Aleksey Aleksey Sanin wrote:I am not sure I clear understand what does the "generation algorithm RSA-SHA1" mean but assuming that server.key has a private RSA key then you should check that xml.txt template uses RSA-SHA1 signature algorithm. This is the only reasons I can think of for the error you have. BTW, I think it'll be very helpful if you send related files next time :) Aleksey Wayne Cheng wrote:Thank you so much for your quick response. The server.key generation algorithm we used is RSA-sha1. I am not sure where to find/change algorithm used for signature for xmlsec utility. I tried the new format and it still not working. Also, I am not sure if rename for server is required or not. bash-2.05$ xmlsec sign --privkey:server ./server.key xml.txt xmlSecKeysMngrGetKey (keys.c:451): error 17: key not found : xmlSecSignedInfoRead (xmldsig.c:1385): error 17: key not found : xmlSecSignatureRead (xmldsig.c:1124): error 2: xmlsec operation failed : xmlSecS ignedInfoRead - -1 xmlSecDSigGenerate (xmldsig.c:792): error 2: xmlsec operation failed : xmlSecSig natureRead - -1 Error: xmlSecDSigGenerate() failed Error: operation failed bash-2.05$ Thanks, Wayne_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
