On Sun, Nov 25, 2012 at 09:36:31AM -0800, Aleksey Sanin wrote: > Simplest way would probably be to extract the public key from > the certificate using openssl command line tools and then load > it from a PEM file into xmlsec.
So I did openssl x509 with "-noout -pubkey" and stored in a file. I loaded that key with xmlSecCryptoAppKeyLoad(), generated the fingerprint for the cert file and set that with xmlSecKeySetName(). However the xmlSecDSigCtxVerify() call now gives me: func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match And I'm not sure if I'm doing the correct thing or that it really failed to verify. If I understand the message correct, the DigestValue was probably correct, it's just that the signature didn't verify? From what I understand I should be able to verify this with: openssl dgst -sha256 -verify pubkey.pem -signature sigfile datafile I already created the pubkey.pem file as before. I took the SignatureValue and ran "base64 -d" on that and stored it in the sigfile. I created what I think is the canonical version of the xml file, and when I run dgst I got: "Verification Failure". Is that the right way to check it using openssl? I'm starting to get convinced that the file I'm getting isn't properly signed, or not with the key the claim it's signed with. Kurt _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
