I'll help more if you need it, but look in openssl-xxx/apps/rsa.c and grep for PEM_write_bio_PrivateKey and that should get you started generating PEM keys. Do what they do! Gotta run ... Similar situation for DSA keys.
meg morgan Jesse Pelton wrote: > > I am modifying an existing application that signs and verifies documents to > use XMLSec. We're currently using Microsoft's .NET implementation, which is > a colossal pain, partly because most of our code is unmanaged, partly > because the MS Crypto API is an unpredictable black box. > > When we sign a document, we put a key name (a certificate's common name) > into (surprise) the <KeyName> element. That's the only information regarding > keys in our document. To verify a signature, we extract the key name from > the document and map it to a certificate containing the appropriate public > key. This allows us to exchange signed documents with parties we trust by > first exchanging standard X509 certificates. Each of us signs with the > private key we've retained and verifies with the public key we've received > in a certificate. > > I can't find a way to do this with XMLSec's simple key manager, and I'm not > sure 1) whether I'm missing something, and if not, 2) what would be the best > way to proceed. > > I need an xmlSecKeyPtr to pass to xmlSecDSigValidate(). The simple keys > manager provides two functions that return key pointers: > xmlSecSimpleKeysMngrFindKey() and xmlSecSimpleKeysMngrLoadPemKey(). I > suspect the find function would work for me if I passed a key name, but the > only way I can find to introduce a named key into the manager is by loading > a PKCS12 file. The PEM key loader also might work, if I could figure out how > to produce a PEM key file. Neither xmlsec nor openssl executables provide a > way to do this that I could find. > > I also tried using xmlSecX509DataReadPemCert() together with > xmlSecX509DataCreateKey(), but the latter call fails because the certificate > hasn't been verified. It can't be verified unless it's in a store. If I put > it in a store, I no longer have a way to get it, so I'm back where I > started. > > Is the whole notion of using a certificate's public key to verify a > signature wrong-headed in some way? (I have to wonder, since there seems to > be no support provided for it.) If this is a reasonable approach, how can I > accomplish it? > _______________________________________________ > xmlsec mailing list > [EMAIL PROTECTED] > http://www.aleksey.com/mailman/listinfo/xmlsec -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Meg Morgan 425/450-2754 [EMAIL PROTECTED] http://www.votehere.net _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
