Yes I am seeing the same thing with numerous templates. -----Original Message----- From: Alexander Trishin [mailto:[EMAIL PROTECTED] Sent: December 23, 2005 12:20 PM To: [EMAIL PROTECTED] Cc: [email protected] Subject: Re: [xmlsec] xmlsec
I'm using xCBL 4.0 documents which define dgs prefix for xmldsig <Invoice xmlns:dgs="http://www.w3.org/2000/09/xmldsig#"; > So I'm defining signature template as <dgs:Signature> <dgs:SignedInfo> <dgs:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <dgs:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dgs:Reference URI=""> <dgs:Transforms> <dgs:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </dgs:Transforms> <dgs:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dgs:DigestValue/> </dgs:Reference> </dgs:SignedInfo> <dgs:SignatureValue/> <dgs:KeyInfo> <dgs:KeyName/> <dgs:X509Data><dgs:X509Certificate/> </dgs:X509Data> </dgs:KeyInfo> </dgs:Signature> After document is signed all elements still have dgs prefix but X509Certificate: <dgs:X509Data> <X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#";>MIICAjCCAWugAwIBAgIQnS98DETrP7RGk aTvoI4evjANBgkqhkiG9w0BAQQFADAY [skip] </X509Certificate> </dgs:X509Data> Although it does not create a verification problem, I find it strange. Is there a way to keep it consistent? Thank you, Alex. Edward Shallow wrote: >Hi Alex, > > Aleksey did understand you correctly. Simply initialize the ><KeyName> in a template file (sample attached) and the private signing >key will be extracted from the MS system key store (i.e. 'MY'). Rough >sequence of calls >(simplified) as follows: > > xmlParseFile('the template') > xmlDocGetRootElement() > xmlSecFindNode(rootNode, 'Signature', >'http://www.w3.org/2000/09/xmldsig#') > xmlSecKeysMngrCreate() > xmlSecCryptoAppDefaultKeysMngrInit(keysMngr) > xmlSecDSigCtxCreate() > xmlSecDSigCtxInitialize(dsigCtx, keysMngr) > xmlSecDSigCtxSign(dsigCtx, sigNode) > > Depending on which crypto you are using the <KeyName> can contain >either the short friendly name (from CN=...) or the full X509 Distinguished Name. >Both will work. mscrypto for example will look first in the Simple Key >Store if you have adopted one and then in the 'MY' certificate store >for your signing key. In the above sequence, I did not load or adopt a >Key Store, so mscrypto goes directly to the system key store 'MY'. > > Note: OpenSSL does not have a system key store. > >Cheers, >Ed > > > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >Behalf Of Alexander Trishin >Sent: December 19, 2005 7:00 PM >To: Aleksey Sanin >Cc: [email protected] >Subject: Re: [xmlsec] xmlsec > >Aleksey, > >I probably didn't make myself clear. >I'm looking at the code to produce a signed xml, the key info and >certificate come from the external file for the sample. >My question is - what functions should I use to change that? So that >key info and Certificate come from the system store, and not from the file. > >Thank you in advance, >Alex > >Aleksey Sanin wrote: > > > >>I am not a big mscrypto user myself and I hope someone will correct my >>lies here... but I believe that you just need to put the key name >>(i.e. certificate subject) into the <KeyName> element of your >>signature template. >> >>Aleksey >> >>Alexander Trishin wrote: >> >> >> >>>Dear Friends, >>> >>>I'm trying to create a test console app to sign XML files with the >>>X509 certificate. I took a look at samples provided but yet to figure >>>out how do I sign an XML file with the Certificate that I already >>>have in "MY" store. Certificate does have a private key. >>> >>>If someone can point me in the right direction or has sample I'd be >>>greatly appreciated. >>> >>>Platform is Windows with ms crypto library. >>> >>>Thank you, >>>Alex. >>>_______________________________________________ >>>xmlsec mailing list >>>[email protected] >>>http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >> >> >> >> >_______________________________________________ >xmlsec mailing list >[email protected] >http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
