After the verification, the signature context contains all the information
about the process including a pointer to the key (signKey) which in its
turn has all the data about the key including the key's cert (dataList).
Aleksey
On 5/18/11 4:15 PM, Benjamin Dauvergne wrote:
I have a question about a use case where I do not see how to use
libxmlsec:
- shibboleth (an implementation of SAML2) is using metadata file to
declare trusted cryptographic keys between services; a KeyInfo can be
used to designate the susbject name of the certificate which shoud be
used to sign some XML content, each message is thus accompanied by
a KeyInfo with the full certificate included,
- at signature validation time, two operations must be made:
- check that the signature is made with a certificate which belong
to a trusted CA; I alreadt know how to do this by stuffing sucha
CA in a xmlSecKeysMngr which is passed to xmlSecDSigCtx
- check that the certificate has the required subject name,
I'm looking into implementing this use case with libxmlsec especially
the last operation.
In regards I would like to know how to make a kind of xmlSecKey that
I can pass to the xmlSecDSigCtx structure so that it only checks the
name of the certificate but does not force a certain key and let the key
store doing its job of validating the certificate.
Currently my impression is that I can only do this by hand or by
stuffing the certificate included in a signature into a xmlSecKeysMngr
and then to reread the metadata file so that the
X509Data/X509SubjectName can be resolved, which in my own view is
a complete reversal of the logical workflow to use in which resolution
of the subject-name would be done at signature validation code (i.e.
inside xmlSecDSigCtxVerify).
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
