Please attach the actual signed file.
Aleksey
Rolando Abarca wrote:
Ok, I got a little more info on the error:
From the other side (the place we're I'm sending the signed XML) the
response is:
The public key does not correspond to the certificate
This is how I'm signing the document (this is inside a ruby extension):
VALUE xmlsec_sign(VALUE self, VALUE cert_file, VALUE key_file, VALUE
node_uri) {
xmlNodePtr signNode = NULL;
xmlNodePtr refNode = NULL;
xmlNodePtr keyInfoNode = NULL;
xmlSecDSigCtxPtr dsigCtx = NULL;
ruby_xml_document_t *rxd;
char *filename;
int res = -1;
/* get libxml node from ruby VALUE */
Check_Type(key_file, T_STRING);
Data_Get_Struct(self, ruby_xml_document_t, rxd);
/* create signature template */
signNode = (xmlNodePtr)xmlSecTmplSignatureCreate(rxd->doc,
xmlSecTransformInclC14NId, xmlSecTransformRsaSha1Id, NULL);
if (signNode == NULL) {
rb_raise(rb_eXMLError, "Failed to create signature template");
}
xmlAddChild(xmlDocGetRootElement(rxd->doc), signNode);
/* add reference */
refNode = (xmlNodePtr)xmlSecTmplSignatureAddReference(signNode,
xmlSecTransformSha1Id, NULL, STR2CSTR(node_uri), NULL);
if (refNode == NULL) {
rb_raise(rb_eXMLError, "Failed to add reference to signature
template");
}
/* add key info */
keyInfoNode = (xmlNodePtr)xmlSecTmplSignatureEnsureKeyInfo(signNode,
NULL);
if (keyInfoNode == NULL) {
rb_raise(rb_eXMLError, "Failed to add key info");
}
if ((xmlNodePtr)xmlSecTmplKeyInfoAddKeyValue(keyInfoNode) == NULL) {
rb_raise(rb_eXMLError, "Failed to add key value");
}
if ((xmlNodePtr)xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
rb_raise(rb_eXMLError, "Failed to add X509 Data");
}
/* create sign context and sign the document */
dsigCtx = xmlSecDSigCtxCreate(NULL);
if(dsigCtx == NULL) {
rb_raise(rb_eXMLError, "Failed to create signature context");
}
filename = STR2CSTR(key_file);
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(filename,
xmlSecKeyDataFormatPem, NULL, NULL, NULL);
if(dsigCtx->signKey == NULL) {
xmlSecDSigCtxDestroy(dsigCtx);
rb_raise(rb_eXMLError, "Failed to load private key from %s",
filename);
}
/* add the X509 cert info */
filename = STR2CSTR(cert_file);
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, filename,
xmlSecKeyDataFormatPem) < 0) {
xmlSecDSigCtxDestroy(dsigCtx);
rb_raise(rb_eXMLError, "Failed to load certificate from %s",
filename);
}
/* sign */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
xmlSecDSigCtxDestroy(dsigCtx);
rb_raise(rb_eXMLError, "Signature failed");
}
xmlSecDSigCtxDestroy(dsigCtx);
/* dump to stdout */
return Qnil;
}
As you can see, I'm creating a template, adding the KeyInfo, Value and
X509 data. The key_file and cert_file are both the same (it's a PEM file).
Any ideas on what could be the problem?
thanks a lot for any hint.
On Jun 20, 2008, at 12:26 PM, Rolando Abarca wrote:
I'm trying to verify a XML I signed (using xmlsec), but I keep getting
xmlSecDSigStatusUnknown as the status... what does it means?
Currently, the XML is of the kind:
<root>
<A>
<B>
<Sing for B>
<B>
<Sign for B>
</A>
<Sign for A>
</root>
What I'm trying to check first, is the sign for A, but it fails... Any
hints on where I should start looking?
Regarding on how the tree is being constructed:
Generate a B sub-tree, save it to a file. Load it and sign it.
Generate an A sub-tree, add all B nodes, save it to a file. Load it
and sign it.
Generate the root node, add the A node. Save the file.
Note: this save-load-sign routine is so far the only way I've found to
preserve the whitespace (is there any other way?)
regards
--
Rolando Abarca M.
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
