Re: [xmlsec] wsse tokens and encryption

Thu, 19 Jun 2008 10:17:06 -0700 

If you have only public keys then you should not use pkcs12

http://en.wikipedia.org/wiki/PKCS12

You can try to load the public key directly from the certificate
using "--pubkey-cert-pem" command line option for xmlsec utility.

Aleksey

[EMAIL PROTECTED] wrote:
Thank you, loading a pkcs12 file worked! I created a pkcs12 file with my public cert and private key. I loaded it into xmlsec and it did everything else on its own, and on the other end I was able to decrypt it with my private key (so I assume that it got the public key out and did things correctly). 

However, there is a problem with this.
Since I am going to be using the "clients" public key/cert, I'll have to make the pkcs12 file without a private key. This appears to be do-able with openssl (though what I'm doing now could be wrong). 
The command I use to get the pkcs12 file from a pem format cert is:
openssl pkcs12 -export -in PubCertFile.pem -nokeys -out myTempCert.p12
but when I load the result of this command into xmlsec, I get this error:
func=xmlSecOpenSSLEvpKeyAdopt:file=evp.c:line=211:obj=unknown:subj=pKey != NULL:error=100:assertion: func=xmlSecOpenSSLAppPkcs12LoadBIO:file=app.c:line=702:obj=unknown:subj=xmlSecOpenSSLEvpKeyAdopt:error=1:xmlsec library function failed: func=xmlSecOpenSSLAppPkcs12Load:file=app.c:line=574:obj=unknown:subj=xmlSecOpenSSLAppPkcs12LoadBIO:error=1:xmlsec library function failed:filename=/myKeyDir/myTempCert.p12;errno=2
It looks like xmlsec is expecting a private key with the file, but I can't have it due to the nature of security. Is there a way to tell xmlsec to just use the public key that's inside the pkcs12 file? or am I going about this wrong? 

Thanks again,
Brian



*Aleksey Sanin <[EMAIL PROTECTED]>*
Sent by: [EMAIL PROTECTED]

06/17/2008 03:17 PM

        
To
        [EMAIL PROTECTED]
cc
        [email protected]
Subject
        Re: [xmlsec] wsse tokens and encryption


        






 > Do I need to manually put the cert into the key?

Yes! You must associate the cert with the key. The simplest
way to do this is to put your key and certificate(s) into
pkcs12 file and then load the file "at once". It is possible
to do it manually but you will need to manipulate the
key data objects yourself.

Aleksey
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to