sign --pkcs12:test-key keys/EdCert.p12 --pwd 1234 something.tmpl
Then the following happens:
1) xmlsec loads key and certificate from keys/EdCert.p12 and puts this key
in default crypto keys manager with "test-key" name.
2) When xmlsec singns the something.tmpl and finds out that it needs a private
key with a name "test-key", it requests keys manager to find such key
(internaly, the request is represented in xmlSecKeyReq object).
3) Keys manager does the search and finds the key we loaded on step 1).
4) xmlsec uses returned key for signature.
Note that on step 1) we used words "default crypto keys manager". This means that
- different crypto engines may have *different* default keys managers
(for example, OpenSSL uses plain stupid list of keys; NSS uses the same
plain list of keys and NSS key db; MSCrypto uses the same plain list of keys
and MS Crypto store)
- xmlsec command line utility uses "default" keys manager but application
might replace it with whatever is needed (for example, one might have all keys
and/or certificates in a database)
Currently, xmlsec utility does not have an option that says "load key and use *this*
key for signature or encryption". The key selection is done inderectly thru keys manager
(i.e. signature/encryption template should have a key name that references to a key
in keys manager). But you can do it in your application (if needed) by setting desired
siganture/encryption key in signature/encryption context. Also today you can use the
"--session-key" option if you want to sign/encrypt something with session key (specific
for this xml file). But the session key by itself would be encrypted with an indirectly
selected key from keys manager. Again, in the application you can select second key
from your application directly (if you want).
Hope this make things a little bit more clear :)
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
