Thanks. Seems like both key and cert are there. Not sure what went wrong...
On 2/23/11 12:43 PM, Nigel Ramsay wrote:
Sure...
Not entirely sure on the exact syntax to use. This is what we got:
openssl pkcs12 -info -in keysncerts/usercert.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7
82 8C
subject=/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/[email protected] <mailto:[email protected]>
issuer=/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/[email protected] <mailto:[email protected]>
-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwgYcxCzAJBgNVBAYTAkNM
MQswCQYDVQQIEwJSTTERMA8GA1UEBxMIU2FudGlhZ28xHDAaBgNVBAoTE2xpdHRs
ZWNyeXB0b2dyYXBoZXIxGTAXBgNVBAMTEFBoaWxpcHBlIENhbWFjaG8xHzAdBgkq
hkiG9w0BCQEWEGxvc3RpbG9zQGZyZWUuZnIwHhcNMDgwMTE5MTI1MjM3WhcNMDkw
MTE4MTI1MjM3WjBuMQswCQYDVQQGEwJDTDELMAkGA1UECBMCUk0xHDAaBgNVBAoT
E2xpdHRsZWNyeXB0b2dyYXBoZXIxEzARBgNVBAMTCkpvaG4gU21pdGgxHzAdBgkq
hkiG9w0BCQEWEGpzbWl0aEBoZWxsby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALwShIDVij20XFC8V3Bs8Xn6b3uRa8rnPgkMCc92LoxNc/IzCriw9gu9
NGps/bwanWgZbK5va46Y27axFhHo2uNk9ZE2lj0UQegFdBGlEIOt9hlpHFSqTnmX
AKraSHd2yxhVe+JqGIrtyTQluWVNPOCKXd8zubFgWqlUMXMrn8JzAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQ08GE4h2jHJZOGkDUyQE9EEPMqlDAfBgNVHSME
GDAWgBT+y1YLKOsq6cec6uU61UxVhNvUajANBgkqhkiG9w0BAQUFAAOBgQAVZMDa
KVhvX2qOMlcjX7i6DESF7SDyEbjfPk+bYIDm+al45lmzixkFeYUUQcFJMG0s152A
kFd/fTVMfz/j37OQYxUYwwZQlMW3dVnC+CvjtMlSrReeHThhQFQpO16i21aDitON
1TFsvO8T+21YGB4kne44vry6O4JJPy8EZBsfbw==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 19 9E C5 B9 09 E2 E3 64 01 72 96 DA 1A F2 EC 8D F0 F7
82 8C
Key Attributes: <No Attributes>
It then prompts for a password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
I entered "password" and got this...
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,058FCED319755EBF
rlRk7UJFjOmpFIQsb0D4g7nHKuKy5spYUWfOEjM9wBNR97/4lW7nNmNsEGWpg8ZB
PbPY5WDxF2XOO9FLnBWD7SZvBOD7aaKiPX0bfiwutvVotlyvYDgkBJJT1H8wwQbd
7/yM3pqowc22JpLBiCO2Bs7wHz+xHGZvLW7H6J1VZYvqqFdGoN6jbcyLadZ3U+rn
HeqsKRpSTqPT7wPr7SQA0SjcV+QW1TtKgozoYdBqXh3YHGzGwpYA1pGZogZZSSE8
6rOPpV0k/3jJE19FI2A39kDZLlDnOfcPu44Qi7e7J+xmN7h+waceXcIqhZY/QDVq
slfX41/7BjQfxQPeXIJ6gNt3GbP0mJF42Rra6yy2oN3xx7zIBRALmplZIWvI2HTJ
m6Lb6o1/Ag2C8vGKgxM1dL2EUXFeZVEl/clPWZHJ49arPgAt7UpgAFM1GFdANNkB
O9O87LPJxE+W7hR7otpkr0UVHUOeOBaFd70POTtPf4efdXcAt5+QCRj7EoyRRbIk
xueW3WUXibAYiDcAyoLRlPj+OaopbdAy99efCM4o0oIHEI9tWN7UGdCVV/8+LZIs
CEkflcUtSQIe0q8eC+RhfDvjL9MM32znz2vSvqa3s9jhXfedDzAKESv808NQy+mW
LkSumr81qs5pSeT7MU9iqYylyBrRT1rCVHq7ahaJ8Xg5AiwP06bkLuz7GJ6zmcvl
Qw7PByfHfOE3dpyb2KBg9WwMycud+y+gNKFBQVVCqlEMuU4zguXkpReHWld9F1VX
/3W3Ts/bBOWJ+c1O0/RGVgb8etWlgz0fme+urXq7zZPjXWVJehrAwA==
-----END RSA PRIVATE KEY-----
On Thu, Feb 24, 2011 at 8:57 AM, Aleksey Sanin <[email protected]
<mailto:[email protected]>> wrote:
Thanks for update. If you have a second, could you please try to
run openssl pkcs12 command on Mac
to see the content of the usercert.p12 file?
Aleksey
On 2/23/11 11:54 AM, Nigel Ramsay wrote:
Hi Aleksey
As I suggested, I tried it on Ubuntu - and it just worked.
It must have been a "mac thing".
I've now gone a repeated the exact same steps on both Ubuntu 10.4
and OSX 10.6 with differing results - the Ubuntu version produced
the required output, while the Mac version did not.
For those who are interested, these are the simple steps I followed:
*Mac*
port install xmlsec
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
unzip keysncerts.zip
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
keysncerts/cacert.pem --pwd hello doc-x509.xml
*Ubuntu*
apt-get install xmlsec1
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/keysncerts.zip
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/keysncerts.zip>
unzip keysncerts.zip
wget
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/doc-x509.xml
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/doc-x509.xml>
xmlsec1 --sign --pkcs12 keysncerts/usercert.p12 --trusted-pem
keysncerts/cacert.pem --pwd hello doc-x509.xml
So anyway - thanks Aleksey for a very handy tool. There's nothing
else out there like it. Certainly nothing in "Ruby land" where we
do most of our work.
Cheers
Nigel
On Thu, Feb 24, 2011 at 8:33 AM, Aleksey Sanin
<[email protected] <mailto:[email protected]>> wrote:
Make sure that you actually have *both* private key and
certificate in the usercert.p12
Aleksey
On 2/23/11 11:24 AM, Nigel Ramsay wrote:
Hi
We are trying to sign an XMl document with an X509
certificate, but any having problems getting the X509Data
node populated.
We are following Philippe Camacho's tutorial here:
http://www.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7
<http://www.dcc.uchile.cl/%7Epcamacho/tutorial/web/xmlsec/xmlsec.html#htoc7>
The command that we use is copied from the tutorial, and we
are using the keysncerts.zip file that contains the
appropriate keys and certificates.
The command (using v 1.2.16 on Mac OSX 10.6) is:
xmlsec1 --sign --pkcs12 usercert.p12 --trusted-pem
cacert.pem --pwd hello doc-x509.xml
The contents of the doc-x509.xml is (the document we are
trying to sign):
<References>
<Book>
<Author>
<FirstName>Bruce</FirstName>
<LastName>Schneier</LastName>
</Author>
<Title>Applied Cryptography</Title>
</Book>
<Web>
<Title>XMLSec</Title>
<Url>http://www.aleksey.com/xmlsec/</Url>
</Web>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
</Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue />
<KeyInfo>
<X509Data >
<X509SubjectName/>
<X509IssuerSerial/>
<X509Certificate/>
</X509Data>
<KeyValue />
</KeyInfo>
</Signature>
</References>
We get this output from running the command:
<?xml version="1.0"?>
<References>
<Book>
<Author>
<FirstName>Bruce</FirstName>
<LastName>Schneier</LastName>
</Author>
<Title>Applied Cryptography</Title>
</Book>
<Web>
<Title>XMLSec</Title>
<Url>http://www.aleksey.com/xmlsec/</Url>
</Web>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>V0ilDen0qBzCslw7EkJfhWO13/I=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>jWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEVqYxUZGT6YWtWLS
lbCQNxOFChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2
twHNsyLPpW9FTeQ7Z3ftaXShKcyPeh6zOvMwDRKLxdQ=</SignatureValue>
<KeyInfo>
<X509Data>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>
vBKEgNWKPbRcULxXcGzxefpve5Fryuc+CQwJz3YujE1z8jMKuLD2C700amz9vBqd
aBlsrm9rjpjbtrEWEeja42T1kTaWPRRB6AV0EaUQg632GWkcVKpOeZcAqtpId3bL
GFV74moYiu3JNCW5ZU084Ipd3zO5sWBaqVQxcyufwnM=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</References>
As you can see, the X509Data node is blank.
We have tried including the --print-xml-debug option, and
this shows a number of fields, including:
<X509Data>
<KeyCertificate>
<SubjectName>/C=CL/ST=RM/O=littlecryptographer/CN=John
Smith/[email protected]
<mailto:[email protected]></SubjectName>
<IssuerName>/C=CL/ST=RM/L=Santiago/O=littlecryptographer/CN=Philippe
Camacho/[email protected]
<mailto:[email protected]></IssuerName>
<SerialNumber>11E</SerialNumber>
</KeyCertificate>
</X509Data>
We have also tried these commands with our own generated
keys, and different XML files too. We get the same result
each time.
I have searched this mailing list, and note that Braja
Biswal had a similar problem:
http://www.aleksey.com/pipermail/xmlsec/2009/008672.html
We would really appreciate any help, as we seem to be out of
ideas. Our last idea is to try the same approach using
Ubuntu - perhaps this is "a Mac thing". We used MacPorts to
install Xmlsec.
Thanks
Nigel
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
_______________________________________________
xmlsec mailing list
[email protected] <mailto:[email protected]>
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
--
Nigel Ramsay
Principal Consultant
Able Technology
04 910 3100
021 323 990
http://www.abletech.co.nz
http://nigel.ramsay.org.nz
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
