I am modifying an existing application that signs and verifies documents to use XMLSec. We're currently using Microsoft's .NET implementation, which is a colossal pain, partly because most of our code is unmanaged, partly because the MS Crypto API is an unpredictable black box.
When we sign a document, we put a key name (a certificate's common name) into (surprise) the <KeyName> element. That's the only information regarding keys in our document. To verify a signature, we extract the key name from the document and map it to a certificate containing the appropriate public key. This allows us to exchange signed documents with parties we trust by first exchanging standard X509 certificates. Each of us signs with the private key we've retained and verifies with the public key we've received in a certificate. I can't find a way to do this with XMLSec's simple key manager, and I'm not sure 1) whether I'm missing something, and if not, 2) what would be the best way to proceed. I need an xmlSecKeyPtr to pass to xmlSecDSigValidate(). The simple keys manager provides two functions that return key pointers: xmlSecSimpleKeysMngrFindKey() and xmlSecSimpleKeysMngrLoadPemKey(). I suspect the find function would work for me if I passed a key name, but the only way I can find to introduce a named key into the manager is by loading a PKCS12 file. The PEM key loader also might work, if I could figure out how to produce a PEM key file. Neither xmlsec nor openssl executables provide a way to do this that I could find. I also tried using xmlSecX509DataReadPemCert() together with xmlSecX509DataCreateKey(), but the latter call fails because the certificate hasn't been verified. It can't be verified unless it's in a store. If I put it in a store, I no longer have a way to get it, so I'm back where I started. Is the whole notion of using a certificate's public key to verify a signature wrong-headed in some way? (I have to wonder, since there seems to be no support provided for it.) If this is a reasonable approach, how can I accomplish it? _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
