If you set the key in xmldsigctx then it will never get there anyway. Otherwise, check enabledKeyData in xmlSecKeyInfoCtx (there are examples in the xmlsec1 command line tool source code)
Aleksey On 5/21/13 9:14 PM, Jeffrey Jin (jefjin) wrote: > Thanks Aleksey quick response. I will try it. > I have another question: how to disable certificate validation in xmlsec? > > On 5/22/13 12:10 PM, "Aleksey Sanin" <[email protected]> wrote: > >> If you know the public key in advance then you can set it in xmlDsigCtx >> >> Aleksey >> >> On 5/21/13 9:02 PM, Jeffrey Jin (jefjin) wrote: >>> Hi All, >>> >>> We are using XMLSec to handle XML signature and encryption in SAML 1.0 >>> and 2.0 protocols. We are pre-configed the configuration data such as >>> IDP certificate using metadata. So even the response include >>> "KeyInfo/X509Data", we will ignore it then using local pre-config >>> certificate to verify it and we assume SP totally trust this >>> certificate. So also we won't use CA certificate to verify the >>> pre-config certificate's legitimacy. >>> >>> I dig into code then find: >>> >>> /* ignore <dsig:KeyInfo /> if there is the key is already set */ >>> /* todo: throw an error if key is set and node != NULL? */ >>> if((dsigCtx->signKey == NULL) && (dsigCtx->keyInfoReadCtx.keysMngr >>> != NULL) >>> && (dsigCtx->keyInfoReadCtx.keysMngr->getKey != >>> NULL)) { >>> dsigCtx->signKey = >>> (dsigCtx->keyInfoReadCtx.keysMngr->getKey)(node, >>> &(dsigCtx->keyInfoReadCtx)); >>> } >>> >>> Does it means I need to set dsigCtx->signKey? And what's meaning of >>> dsigCtx->signKey? Is it private key from IDP? (we never can get private >>> key from IDP). How can I meet this requirement by xmlsec? >>> >>> >>> Thanks, >>> >>> Jeffrey >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
