Thanks for update. If you have a second, could you please try to run
openssl pkcs12 command on Mac
to see the content of the usercert.p12 file?
Aleksey
On 2/23/11 11:54 AM, Nigel Ramsay wrote:
Hi Aleksey
As I suggested, I tried it on Ubuntu - and it just worked.
It must have been a "mac thing".
I've now gone a repeated the exact same steps on both Ubuntu 10.4 and
OSX 10.6 with differing results - the Ubuntu version produced the
required output, while the Mac version did not.
For those who are interested, these are the simple steps I followed:
*Mac*
port install xmlsec
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
unzip keysncerts.zip
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
keysncerts/cacert.pem --pwd hello doc-x509.xml
*Ubuntu*
apt-get install xmlsec1
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
unzip keysncerts.zip
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
keysncerts/cacert.pem --pwd hello doc-x509.xml
So anyway - thanks Aleksey for a very handy tool. There's nothing else
out there like it. Certainly nothing in "Ruby land" where we do most
of our work.
Cheers
Nigel
On Thu, Feb 24, 2011 at 8:33 AM, Aleksey Sanin <[email protected]
<mailto:[email protected]>> wrote:
Make sure that you actually have *both* private key and
certificate in the usercert.p12
Aleksey
On 2/23/11 11:24 AM, Nigel Ramsay wrote:
Hi
We are trying to sign an XMl document with an X509 certificate,
but any having problems getting the X509Data node populated.
We are following Philippe Camacho's tutorial here:
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7>
The command that we use is copied from the tutorial, and we are
using the keysncerts.zip file that contains the appropriate keys
and certificates.
The command (using v 1.2.16 on Mac OSX 10.6) is:
xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem cacert.pem
--pwd hello doc-x509.xml
The contents of the doc-x509.xml is (the document we are trying
to sign):
<References>
<Book>
<Author>
<FirstName>Bruce</FirstName>
<LastName>Schneier</LastName>
</Author>
<Title>Applied Cryptography</Title>
</Book>
<Web>
<Title>XMLSec</Title>
<Url>http://www.aleksey.com/xmlsec/</Url>
</Web>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
</Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data >
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue />
</KeyInfo>
</Signature>
</References>
We get this output from running the command:
<?xml version="1.0"?>
<References>
<Book>
<Author>
<FirstName>Bruce</FirstName>
<LastName>Schneier</LastName>
</Author>
<Title>Applied Cryptography</Title>
</Book>
<Web>
<Title>XMLSec</Title>
<Url>http://www.aleksey.com/xmlsec/</Url>
</Web>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
<KeyInfo>
<X509Data>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>
vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</References>
As you can see, the X509Data node is blank.
We have tried including the --print-xml-debug option, and this
shows a number of fields, including:
<X509Data>
<KeyCertificate>
<SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/[email protected]
<mailto:[email protected]></SubjectName>
<IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/[email protected]
<mailto:[email protected]></IssuerName>
<SerialNumber>11E</SerialNumber>
</KeyCertificate>
</X509Data>
We have also tried these commands with our own generated keys,
and different XML files too. We get the same result each time.
I have searched this mailing list, and note that Braja Biswal had
a similar problem:
http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
We would really appreciate any help, as we seem to be out of
ideas. Our last idea is to try the same approach using Ubuntu -
perhaps this is "a Mac thing". We used MacPorts to install Xmlsec.
Thanks
Nigel
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
_______________________________________________
xmlsec mailing list
[email protected] <mailto:[email protected]>
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
