Hi We are trying to sign an XMl document with an X509 certificate, but any having problems getting the X509Data node populated.
We are following Philippe Camacho's tutorial here: http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7 The command that we use is copied from the tutorial, and we are using the keysncerts.zip file that contains the appropriate keys and certificates. The command (using v 1.2.16 on Mac OSX 10.6) is: xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem cacert.pem --pwd hello doc-x509.xml The contents of the doc-x509.xml is (the document we are trying to sign): <References> <Book> <Author> <FirstName>Bruce</FirstName> <LastName>Schneier</LastName> </Author> <Title>Applied Cryptography</Title> </Book> <Web> <Title>XMLSec</Title> <Url>http://www.aleksey.com/xmlsec/</Url> </Web> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm= "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm= "http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> </Transforms> <DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue /> <KeyInfo> <X509Data > <X509SubjectName/> <X509IssuerSerial/> <X509Certificate/> </X509Data> <KeyValue /> </KeyInfo> </Signature> </References> We get this output from running the command: <?xml version="1.0"?> <References> <Book> <Author> <FirstName>Bruce</FirstName> <LastName>Schneier</LastName> </Author> <Title>Applied Cryptography</Title> </Book> <Web> <Title>XMLSec</Title> <Url>http://www.aleksey.com/xmlsec/</Url> </Web> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm=" http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue> </Reference> </SignedInfo> <SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2 twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue> <KeyInfo> <X509Data> </X509Data> <KeyValue> <RSAKeyValue> <Modulus> vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM= </Modulus> <Exponent> AQAB </Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> </References> As you can see, the X509Data node is blank. We have tried including the --print-xml-debug option, and this shows a number of fields, including: <X509Data> <KeyCertificate> <SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John Smith/emailAddress= [email protected]</SubjectName> <IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe Camacho/[email protected]</IssuerName> <SerialNumber>11E</SerialNumber> </KeyCertificate> </X509Data> We have also tried these commands with our own generated keys, and different XML files too. We get the same result each time. I have searched this mailing list, and note that Braja Biswal had a similar problem: http://www.aleksey.com/pipermail/xmlsec/2009/008672.html We would really appreciate any help, as we seem to be out of ideas. Our last idea is to try the same approach using Ubuntu - perhaps this is "a Mac thing". We used MacPorts to install Xmlsec. Thanks Nigel -- Nigel Ramsay Principal Consultant Able Technology 04 910 3100 021 323 990 http://www.abletech.co.nz http://nigel.ramsay.org.nz
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
