Thanks Aleksey quick response. I will try it. I have another question: how to disable certificate validation in xmlsec?
On 5/22/13 12:10 PM, "Aleksey Sanin" <[email protected]> wrote: >If you know the public key in advance then you can set it in xmlDsigCtx > >Aleksey > >On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote: >> Hi All, >> >> We are using XMLSec to handle XML signature and encryption in SAML 1.0 >>and 2.0 protocols. We are pre-configed the configuration data such as >>IDP certificate using metadata. So even the response include >>"KeyInfo/X509Data", we will ignore it then using local pre-config >>certificate to verify it and we assume SP totally trust this >>certificate. So also we won't use CA certificate to verify the >>pre-config certificate's legitimacy. >> >> I dig into code then find: >> >> /* ignore <dsig:KeyInfo /> if there is the key is already set */ >> /* todo: throw an error if key is set and node != NULL? */ >> if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr >>!= NULL) >> && (dsigCtx->keyInfoReadCtx.keysMngr->getKey != >>NULL)) { >> dsigCtx->signKey = >>(dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, >>&(dsigCtx->keyInfoReadCtx)); >> } >> >> Does it means I need to set dsigCtx->signKey? And what's meaning of >>dsigCtx->signKey? Is it private key from IDP? (we never can get private >>key from IDP). How can I meet this requirement by xmlsec? >> >> >> Thanks, >> >> Jeffrey >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
