[xmlsec] xmlsec1 and RetrievalMethod

Sat, 28 Apr 2007 18:37:42 -0700

First, to the authors: many, many thanks for writing and maintaining this tool!
I am having some difficulty getting the xmlsec1 utility to verify signed XML using a public key referenced via RetrievalMethod. 

When I create the XML to be signed, I am including:

<KeyInfo>

	<RetrievalMethod URI="http://my.server/pubkey.xml"; 
Type="http://www.w3.org/2000/09/xmldsig#RSAKeyValue";>

        </RetrievalMethod>
</KeyInfo>


The XML file referenced in the URI attribute is the output of xmlsec1 
--keys --gen-key rsa-1024 with the private key stripped out, which 
appears to be the proper format.



The document signs successfully via the xmlsec1 utility. And, if I 
specify --keys-file to a local copy of the public key XML file, it 
verifies successfully via the xmlsec1 utility.



If, however, I do not specify --keys-file with --verify, with the intent 
of having xmlsec1 retrieve the key via the RetrievalMethod, I get:



func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key 
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
library function failed:

Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "test-signed.html"


Is the xmlsec1 utility supposed to be able to retrieve public keys via 
HTTP URLs in RetrievalMethod? If so, any idea where I'm going wrong?



I can always parse out the URL, retrieve the file myself, and use the 
local copy, but I'd prefer to let xmlsec1 handle it all if it can.


This is with 1.2.9-3ubuntu2 as installed on Ubuntu 6.10 (Edgy Eft).

Thanks!

Mark Murphy
mmurphy -at- municorps.org

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec






















					Reply via email to